Tidio Live Chat <= 4.1.0 CSRF to Stored XSS



Description
A CSRF vulnerability in the Tidio Live Chat WordPress Plugin <= 4.1.0 allows attackers to trick admins into adding a Stored XSS payload presented to all visitors.

Fixed in 4.2.0.
Proof of Concept The PoC will be displayed on November 19, 2019, to give users the time to update.

Affects Plugin

fixed in version 4.2.0

References

URL https://dannewitz.ninja/posts/tidio-livechat-wordpress-plugin-csrf-to-stored-xss
URL https://plugins.trac.wordpress.org/changeset/2186087/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Paul Dannewitz
Submitter Paul Dannewitz
Submitter Website https://dannewitz.ninja
Submitter Twitter padannewitz
Views 2430
Verified No
WPVDB ID 9938

Timeline

Publicly Published 2019-11-05 (14 days ago)
Added 2019-11-05 (13 days ago)
Last Updated 2019-11-05 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin