during an installation for one of our customers, we had to install a suitable chat plugin for WordPress. There are a lot of them but we decided to choose the first one that comes in the row. Due to the fact that we like security we of course tested the plugins against some well known vulnerabilites, the result was frustrating. Every single plugin of those we’ve tested is vulnerable to stored cross site scripting.
Since we are white hats we’ve reported all of them first to the vendors, only one of them (https://wordpress.org/plugins/wp-live-chat-support/) anserwed us and wanted to have more information, big thumbs up them! for this reason we’ve waited to publish this until they’ve fixed the issue.
1.) WP-Live Chat stored Cross Site Scripting
2.) MyLiveChat stored Cross Site Scripting
3.) Provide Support stored Cross Site Scripting