CVE-2026-9644: LiveSmart Video Chat WordPress Plugin Stored XSS Vulnerability
A WordPress plugin called LiveSmart Video Chat has a security weakness that allows authenticated users with contributor-level permissions to inject malicious code into pages. When other visitors view those pages, the injected code runs in their browsers, potentially compromising their accounts or data. The vulnerability exists in all versions up to 1.2 and stems from the plugin not properly filtering user input before displaying it on pages.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9644 is a Stored Cross-Site Scripting (XSS) vulnerability in the LiveSmart Video Chat WordPress plugin affecting versions through 1.2. The vulnerability resides in the 'livesmart_widget' shortcode handler, which fails to sanitize and escape user-supplied shortcode attributes before rendering them in page content. An authenticated attacker with contributor-level or higher permissions can craft a malicious shortcode with XSS payloads that persist in the WordPress database. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context with the privileges of that user. The attack vector is network-based with low attack complexity, requiring only valid WordPress credentials at the contributor tier or above.
Business impact
Organizations running the LiveSmart Video Chat plugin face content integrity and user trust risks. Attackers can deface site content, redirect visitors to malicious sites, capture credentials or session tokens, inject malware, or perform actions on behalf of compromised users. Since the vulnerability requires stored persistence, the attack payload affects all site visitors until remediated. For WordPress sites operating e-commerce, SaaS, or membership models, this could enable account takeover, payment fraud, or mass client compromise. The damage scales with site traffic and the sensitivity of data accessible through affected user sessions.
Affected systems
The LiveSmart Video Chat WordPress plugin in all versions up to and including 1.2 is vulnerable. WordPress installations using this plugin with users holding contributor-level access or above are at risk. Multisite WordPress networks where multiple authors or contributors use the plugin face heightened exposure.
Exploitability
Exploitation requires valid WordPress authentication and at least contributor-level privileges. An attacker cannot exploit this remotely without credentials. However, the barrier to entry is moderate: many WordPress sites have contributors, freelancers, or client accounts with this permission tier. Once a shortcode is injected and published, all site visitors passively trigger the vulnerability without interaction. No user action beyond page loading is required for the stored payload to execute. The CVSS score of 6.4 (Medium) reflects the authentication requirement and the cross-site nature of the impact, which is limited to confidentiality and integrity rather than availability.
Remediation
Update the LiveSmart Video Chat plugin to a version that addresses the input sanitization and output escaping defects. Verify the patch version against the plugin's official repository or vendor advisory before deployment. As an interim measure, restrict contributor-level access to only trusted users, audit existing pages for suspicious shortcode usage, and consider deactivating the plugin until a fix is confirmed available and tested in a staging environment.
Patch guidance
Check the official LiveSmart Video Chat plugin repository on WordPress.org or the vendor's security advisory for a patched version that resolves CVE-2026-9644. Apply patches first to a staging environment to test compatibility with your site's theme and other plugins. After validation, deploy to production during a maintenance window and verify that the shortcode functionality still operates as intended. Review the plugin's change log to confirm the security update addresses CWE-79 (Improper Neutralization of Input During Web Page Generation).
Detection guidance
Search your WordPress database and page content for instances of the 'livesmart_widget' shortcode with unusual or suspicious attributes, especially those containing script tags, event handlers, or encoded JavaScript. Review WordPress user logs and contributor-level account activity for unauthorized post or page modifications. Monitor site traffic for unusual client-side behavior or redirects correlating with page views of previously edited content. Implement Web Application Firewall (WAF) rules to detect and block reflected XSS patterns in shortcode parameters. Use WordPress security plugins with malware scanning capabilities to identify stored XSS payloads.
Why prioritize this
Although the CVSS score is Medium (6.4), this vulnerability warrants priority attention because it enables persistent compromise of all site visitors through a stored payload. Unlike reflected XSS, the attack does not require social engineering or victim-specific URLs—merely viewing an infected page triggers the exploit. Organizations with multiple contributors or those accepting external content submissions face particularly high risk. The authentication barrier is meaningful but not insurmountable in environments with loose access controls or compromised accounts.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects: (1) Network-based attack vector requiring only valid credentials; (2) Low attack complexity—no special conditions needed beyond a page load; (3) Low privilege requirement—contributor tier is common; (4) No user interaction needed once the page is accessed; (5) Cross-site scope affecting other users; (6) Limited impact on confidentiality and integrity, but no availability impact. The Medium severity appropriately balances the ease of exploitation and persistence against the authentication prerequisite.
Frequently asked questions
Can unauthenticated users exploit this vulnerability?
No. The vulnerability requires valid WordPress login credentials and at least contributor-level permissions to inject a malicious shortcode. However, once injected and published, any site visitor—authenticated or not—will trigger the stored XSS payload when they view an affected page.
Does this vulnerability allow remote code execution on the server?
No. This is a client-side XSS vulnerability, not a remote code execution (RCE) flaw. The injected script runs in visitors' browsers, not on the WordPress server. Server-side compromise would require a separate, more critical vulnerability.
What should I do if I cannot update the plugin immediately?
As interim steps: (1) Audit all pages and posts for suspicious 'livesmart_widget' shortcodes and remove them; (2) Restrict contributor-level access to only fully trusted staff; (3) Monitor page edit logs for unauthorized changes; (4) Consider deactivating the plugin until a patch is available and tested. (5) Inform your users if any stored XSS was confirmed active on your site.
Will a Web Application Firewall (WAF) prevent this attack?
A WAF can help reduce risk by filtering malicious shortcode payloads before they reach WordPress, but it is not a substitute for patching. WAF rules must be properly configured to detect encoded or obfuscated XSS patterns. The most reliable remediation is updating the plugin to a version with proper input sanitization and output escaping.
This analysis is provided for informational purposes and represents the state of vulnerability intelligence as of the publication date. CVE-2026-9644 details, patch availability, and vendor advisories may be updated by the maintainers. Always verify patch versions and compatibility against official vendor sources before deployment. SEC.co makes no warranty regarding completeness or accuracy of derived information and recommends independent validation of all remediation steps in a testing environment before production use. If your organization believes it has been compromised by this vulnerability, consult your incident response team or a qualified cybersecurity professional. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1