Due to a lack of CSRF mitigation and entity encoding in
wp-live-chat-support.php, it is possible to execute scripts in the context of an admin user by including a script in the
cid field in a GET request.
7.0.06 and below
Upgrade to version 7.0.07 or newer
WordPress Exploit Framework Module
Proof of Concept