CVE-2018-11105

Name of the Vulnerable Software and Affected Versions wp-live-chat-support plugin versions prior to 8.0.08

Description The issue is related to stored cross-site scripting in the wp-live-chat-support plugin for WordPress. This occurs via the name (aka wplc name) and email (aka wplc email) input fields to the "/wp-json/wp live chat support/v1/start chat" API endpoint whenever a malicious attacker initiates a new chat with an administrator.

Recommendations For versions prior to 8.0.08, update to version 8.0.08 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/wp live chat support/v1/start chat" API endpoint to minimize the risk of exploitation. Additionally, avoid using the wplc name and wplc email input fields in the affected API endpoint until the issue is resolved.