An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field aNamea of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history.

In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439).
WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too.

In WP Live Chat Support 8.0.06 the vulnerability is fixed.

Video PoC: https://www.youtube.com/watch?v=eHG1pWaez9w

URL public disclosure: https://www.gubello.me/blog/wp-live-chat-support-8-0-05-stored-xss/

Sent with [ProtonMail](https://protonmail.com) Secure Email.