Description
The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LiveSmart Video Chat plugin for WordPress is vulnerable to stored cross‑site scripting through its 'livesmart_widget' shortcode. The plugin fails to sanitize user‑supplied attributes of the shortcode, allowing authenticated attackers with contributor‑level access or higher to inject arbitrary JavaScript into pages. Such injected scripts execute automatically whenever any user opens the affected page, enabling the attacker to steal session cookies, log keystrokes, or perform other malicious client‑side actions.

Affected Systems

All versions of the LiveSmart Video Chat WordPress plugin up to and including 1.2 are affected. The vulnerability requires that the attacker be logged in with at least contributor privileges. No specific WordPress core or additional software versions are mentioned, so the risk applies to any site running the vulnerable plugin.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The attack vector is likely an authenticated user with contributor or higher privileges creating or editing content that includes the 'livesmart_widget' shortcode. If the attacker successfully injects malicious script, it will host client‑side exploitation for any visitor to the page.

Generated by OpenCVE AI on May 28, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 1.2 if available
  • If upgrade is not possible, remove or restrict the 'livesmart_widget' shortcode for contributor+ users
  • Apply a Content Security Policy that blocks inline scripts and restricts script execution

Generated by OpenCVE AI on May 28, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title LiveSmart Video Chat <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:36:20.221Z

Reserved: 2026-05-26T19:05:01.112Z

Link: CVE-2026-9644

cve-icon Vulnrichment

Updated: 2026-05-28T10:36:14.509Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T06:16:29.010

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-9644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T07:30:11Z

Weaknesses