CVE-2019-14950
published 2019-08-12CVE-2019-14950: The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
PriorityP278medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.21%
64.6th percentile
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3cx | live_chat | < 8.0.27 | 8.0.27 |
Detection & IOCsextracted from sources · hover to see the quote
bytes
4a0a0047304502204cccb8863d17e431141566da306222468ddba015fdb95517b48e79304f8c5463022100aa4717b46cb0708efaf2c55568a965d85ae9c8a392f05d0f70e4c5506cbab659:922c64590222798bb761d5b6d8e72950
- →XSS payload targeting the GDPR page of the wp-live-chat-support plugin; look for script injection via console.log(document.domain) in HTTP responses to the GDPR page endpoint
- ·Vulnerability only affects wp-live-chat-support plugin versions before 8.0.27; ensure version check is part of detection scope ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wrxf-339r-r7hx: The wp-live-chat-support plugin before 8
ghsa_unreviewed·2022-05-24
CVE-2019-14950 [MEDIUM] CWE-79 GHSA-wrxf-339r-r7hx: The wp-live-chat-support plugin before 8
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
VulnCheck
3cx live_chat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2019·CVSS 6.1
CVE-2019-14950 [MEDIUM] 3cx live_chat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
3cx live_chat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
Affected: 3cx live_chat
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-live-chat-support/wp-live-chat-support-8027-unauthenticated-stored-cross-site-scripting
No detection rules found.
Nuclei
WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-14950 [MEDIUM] WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting
WP Live Chat Support console.log(document.domain)")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502204cccb8863d17e431141566da306222468ddba015fdb95517b48e79304f8c5463022100aa4717b46cb0708efaf2c55568a965d85ae9c8a392f05d0f70e4c5506cbab659:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2019-08-12
Published
Exploited in the wild