Description
Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie theft or forced redirects to malicious websites.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Live Chat Unlimited 2.8.3 contains a stored cross‑site scripting flaw in the chat input field. The vulnerability allows attackers to submit malicious payloads, including script tags and event handlers, that are stored and later executed in the administrator interface. This can lead to theft of session cookies or forced redirects to malicious sites.

Affected Systems

Affected systems are WordPress sites running the Screets Live Chat Unlimited plugin version 2.8.3. The product is distributed by Screets and is commonly installed as a live chat widget in WordPress installations.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can act without authentication by posting the payload via the publicly exposed chat box. The stored scripts execute when an administrator opens the chat, thus the vulnerability is primarily an administrative‑side code execution risk. Even though the exploit does not provide server‑side code execution, it can facilitate credential theft or redirect attacks. Prompt patching mitigates this risk.

Generated by OpenCVE AI on June 5, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Live Chat Unlimited to the latest version that addresses stored XSS (greater than 2.8.3).
  • Ensure that the chat input field sanitizes user input; configure a content security policy to limit script execution in admin pages.
  • Disable chat functionality for unauthenticated users or restrict chat access to authenticated users only.

Generated by OpenCVE AI on June 5, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

 cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Screets
Screets live Chat Unlimited
Wordpress
Wordpress wordpress
Vendors & Products Screets
Screets live Chat Unlimited
Wordpress
Wordpress wordpress

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie theft or forced redirects to malicious websites.
Title Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Screets Live Chat Unlimited
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T15:25:37.911Z

Reserved: 2026-06-04T11:05:12.597Z

Link: CVE-2019-25737

cve-icon Vulnrichment

Updated: 2026-06-04T14:01:58.510Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:32.007

Modified: 2026-06-10T02:16:31.787

Link: CVE-2019-25737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T12:30:40Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')