CVE-2024-12451

Name of the Vulnerable Software and Affected Versions HTML5 Chat Plugin for WordPress versions 1.04 and earlier

Description The issue concerns a Stored Cross-Site Scripting vulnerability in the HTML5 chat plugin for WordPress. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'HTML5CHAT' shortcode. As a result, authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page.

Recommendations For versions 1.04 and earlier, update to a version later than 1.04 to resolve the issue. As a temporary workaround, consider disabling the 'HTML5CHAT' shortcode until a patch is available. Restrict access to the plugin's attributes to minimize the risk of exploitation. Avoid using user-supplied attributes in the 'HTML5CHAT' shortcode until the issue is resolved.