Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Dec 27th 2021


The livehelperchat is an open source live chat service. In this service, general users can chat 1:1 with administrators. When administrators send XSS PoC to general users, XSS occurs in general users' chat rooms. Since XSS PoC is saved in the chat room, XSS occurs even if you access the chat room again after leaving. And privileges lower than admin privileges are also possible.

Proof of Concept

1. Open the and Log in as administrator or operators
2. Go to and enther a comment
3. Again go to and Send an xss poc after click the Open chats
4. Going back to the normal user's chat room causes XSS

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago
Pocas modified the report
a year ago
Remigijus Kiminas validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed in 3.91 with commit c3881f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


In general we want to support javascript in [HTML] bbcode. It's just we should limit this feature only to operator who has specific permission. So only that was changed.

to join this conversation