CVE-2019-25737: Stored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
Live Chat Unlimited version 2.8.3 contains a stored cross-site scripting (XSS) vulnerability in its chat input field. An unauthenticated attacker can inject malicious JavaScript code that persists in the system and executes when administrators access the chat interface. This allows attackers to steal admin session cookies, redirect users to phishing sites, or perform unauthorized actions within the admin dashboard without requiring authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie theft or forced redirects to malicious websites.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a Stored XSS flaw (CWE-79) in Live Chat Unlimited 2.8.3's chat input handling. The application fails to properly sanitize or encode user-supplied input before storing and rendering it in the admin area. Attackers can submit payloads containing script tags and event handlers (e.g., <img onerror=alert()>) through the chat interface. These payloads execute client-side in the administrative interface with the victim's privilege level, enabling session hijacking or malicious redirects. The CVSS 3.1 score of 6.1 (MEDIUM) reflects network accessibility, low attack complexity, and no privilege requirement, though impact is limited to confidentiality and integrity without availability impact.
Business impact
A successful exploitation enables attackers to compromise administrative accounts and their sessions without authentication. The attacker gains ability to steal credentials or session tokens, redirect admins to credential harvesting sites, or inject administrative interface modifications to mask unauthorized activity. For organizations running Live Chat Unlimited, this creates a privileged account compromise vector that could lead to broader system access, data exfiltration of chat logs, or reputation damage if admins are manipulated into approving fraudulent requests or accessing malicious content.
Affected systems
Live Chat Unlimited version 2.8.3 is confirmed affected. Organizations must verify whether they are running this specific version or later versions prior to any patched release. The vulnerability affects both the chat widget deployed on customer-facing websites and the administrative backend where chat logs and conversations are reviewed. Any installation of this product version with network exposure is at risk.
Exploitability
Exploitation requires no authentication and only user interaction—specifically that an administrator views the injected chat message. The attack complexity is low; standard XSS payloads work without authentication or special preconditions. The vulnerability does not appear on CISA's Known Exploited Vulnerabilities list as of the source data date, suggesting active exploitation is not yet widespread, though the straightforward nature of XSS attacks means proof-of-concept code is trivial to develop and weaponize.
Remediation
The primary remediation is to upgrade Live Chat Unlimited beyond version 2.8.3 to a patched release. Organizations should verify the vendor's advisory for confirmed fixed versions. Until patching is possible, implement network controls to limit access to the admin interface (restrict by IP), disable chat functionality temporarily, or sanitize input at the web application firewall level to block script tags and event handlers. Enforce Content Security Policy (CSP) headers to mitigate stored XSS execution in the admin area.
Patch guidance
Consult the Live Chat Unlimited vendor advisory or release notes for the fixed version addressing CVE-2019-25737. Apply the patch to all instances of the application in your environment. After patching, verify that chat messages containing special characters no longer execute as code. Test both the public chat interface and the administrative dashboard to confirm the injection points are now properly encoded. If automatic updates are available, ensure they are enabled to prevent future instances of this version from being deployed.
Detection guidance
Monitor for encoded or obfuscated attempts to submit script tags, event handler attributes (onerror, onclick, onload), or iframe injection through chat input fields. Web application firewalls should block payloads containing <script>, on* event handlers, or javascript: protocol strings. Log admin dashboard access and correlate with chat message ingestion times to identify when malicious payloads were submitted. Review browser console logs or network requests from admin sessions for unexpected redirects or cookie exfiltration attempts. Check for unusual admin activity immediately following high-volume chat submissions that contain special characters.
Why prioritize this
This vulnerability merits prompt attention despite its MEDIUM severity because it targets the administrative interface directly, enabling privilege escalation without authentication. The stored nature of the XSS means every admin who reviews chat will be exposed. While not actively exploited at scale according to KEV data, the low barrier to exploitation and high admin impact justify prioritization above other MEDIUM-severity issues. Organizations should patch before adversaries develop targeted campaigns.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects: (1) Network accessibility with no special access requirements, (2) Low attack complexity—standard XSS payloads suffice, (3) No authentication required to inject the payload, (4) User interaction required—an admin must view the chat, and (5) Limited impact scope to confidentiality and integrity (cookie theft, redirect) without availability impact. The score does not account for the severity of compromising administrative sessions, which security teams should weight heavily in their own risk model.
Frequently asked questions
Is this vulnerability exploited in the wild?
As of the source data, CVE-2019-25737 is not listed on CISA's Known Exploited Vulnerabilities catalog. However, the simplicity of stored XSS attacks means exploitation code is trivial to develop. Organizations should assume active exploitation is possible and prioritize patching accordingly.
Do I need to be authenticated to exploit this?
No. The vulnerability allows unauthenticated attackers to inject malicious scripts through the public-facing chat input. However, the injected code only executes when an administrator accesses the chat interface, so the attacker must trick or wait for an admin to view the malicious message.
Will upgrading to the latest version fix this?
Likely, but verify against the vendor's advisory for the specific fixed version. Upgrade to the latest stable release of Live Chat Unlimited beyond 2.8.3, then test the admin dashboard to confirm that chat messages with special characters are properly encoded and do not execute as code.
Can we mitigate this without patching immediately?
Partial mitigation is possible: restrict admin dashboard access by IP address, deploy a web application firewall to block payloads containing script tags and event handlers, enforce a strict Content Security Policy header, and temporarily disable the chat feature if not business-critical. However, these are temporary measures; patching is the only permanent fix.
This analysis is based on published vulnerability data current as of the source date. Patch version numbers and vendor-specific remediation steps should be verified against official vendor advisories and security releases. This assessment does not constitute legal or compliance advice. Organizations should conduct their own risk assessment aligned with their specific environment, threat model, and business context. No exploit code or weaponization details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1
- CVE-2025-5085MEDIUMWP Nano AD Stored XSS Vulnerability – WordPress Plugin Security