ClickDesk Multiple Persistent XSS

Details
========================================================================================
Product: ClickDesk a [ cross platform live chat and support plugin ]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.clickdesk.com/
Advisory-Status: NotPublished

Credits
========================================================================================
Discovered by: Owais Mehtab
Greets To: Mirza Burhan Baig, Muhammad Waqar, Muhammad Ali Baloch, Navaid Zafar Ansari

Affected Products:
========================================================================================
ClickDesk <=4.3
Tested on wordpress 3.8.1

Description
========================================================================================
"Live Chat Plugin"

More Details
========================================================================================
I have discsovered a persistent Cross site scripting (XSS) inside
ClickDesk,the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
1-Live Chat XSS
---------------
go to any website having ClickDesk Live Chat installed,


Click on the "Live Chat widget" and set the below vector in name field

"><img src=O onerror=prompt(document.cookie);>

Now click on initiate chat 

Wollah.. here you go with your own Cookie!


2-Email XSS
-----------
go to any website having ClickDesk Live Chat installed,

Click on the "Live Chat widget", this time select the email option and set the below vector in message field

"><img src=O onerror=prompt(document.cookie);>

Now Click on submit

Wollah..  again here you go with your own Cookie!



Solution
========================================================================================
Edit the source code to ensure that input is properly sanitised.


-- 
Regards,
Owais Mehtab