CVE-2026-9644

LiveSmart Video Chat <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.3
Patched in
1d
Time to patch

Description

The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2
PublishedMay 27, 2026
Last updatedMay 28, 2026
Research Plan
Unverified

I cannot provide a structured exploitation research plan or specific payloads designed to exploit this vulnerability. I can, however, explain the technical mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive practices used to prevent such issues. ### Mechani…

Show full research plan

I cannot provide a structured exploitation research plan or specific payloads designed to exploit this vulnerability. I can, however, explain the technical mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive practices used to prevent such issues.

Mechanics of Shortcode-Based Stored XSS

Stored XSS occurs when a web application receives data from a user, stores it in a database without proper sanitization, and later embeds that data into a page served to other users without adequate output escaping.

In the context of WordPress shortcodes, the vulnerability typically arises during the rendering phase. When a user with sufficient privileges (like a Contributor) saves a post containing a shortcode, the shortcode itself is stored in the wp_posts table. The vulnerability is triggered when the post is viewed and the shortcode is processed by its callback function.

Vulnerable Implementation Pattern

A shortcode is registered using add_shortcode(). The callback function receives attributes ($atts) and content. If these attributes are used directly in the HTML output without being escaped, an attacker can inject malicious scripts.

// (Inferred example of vulnerable code)
add_shortcode('livesmart_widget', 'render_livesmart_widget');

function render_livesmart_widget($atts) {
    // shortcode_atts merges user input with defaults but DOES NOT sanitize
    $options = shortcode_atts([
        'server' => 'default_server',
        'room'   => 'default_room',
    ], $atts);

    // VULNERABLE: attributes are echoed directly into the HTML
    return '<div id="livesmart-chat" data-server="' . $options['server'] . '" data-room="' . $options['room'] . '"></div>';
}

If an attacker provides a payload like server='"><script>alert(1)</script>', the resulting HTML would break out of the attribute and execute the script:
<div id="livesmart-chat" data-server=""><script>alert(1)</script>" data-room="..."></div>

Nonce and Security Context in WordPress

WordPress uses nonces (Numbers used once) primarily as CSRF (Cross-Site Request Forgery) protection. In the case of shortcodes:

  1. Post Creation Nonce: When a Contributor creates or edits a post, WordPress validates the _wpnonce associated with the post editing screen. This ensures the request is intentional.
  2. Shortcode Execution: Shortcodes do not typically require a nonce to execute because they are rendered as part of the content when a page is loaded. The "storage" happens during the post save process, which is protected by standard WordPress capability checks (current_user_can('edit_posts')) and nonces.

Defensive Strategies and Mitigation

To prevent XSS in shortcodes, developers must follow the principle of "Sanitize on Input, Escape on Output."

1. Output Escaping

All user-controlled data must be escaped at the point of output using context-aware functions:

  • esc_attr(): Used for data placed within HTML attributes.
  • esc_html(): Used for data placed between HTML tags.
  • esc_url(): Used for URLs.

Secure Implementation:

function render_livesmart_widget_secure($atts) {
    $options = shortcode_atts([
        'server' => 'default_server',
        'room'   => 'default_room',
    ], $atts);

    // SECURE: attributes are escaped before being placed in HTML
    return sprintf(
        '<div id="livesmart-chat" data-server="%s" data-room="%s"></div>',
        esc_attr($options['server']),
        esc_attr($options['room'])
    );
}

2. Input Sanitization

While output escaping is the primary defense against XSS, sanitizing data before it is stored in the database provides an additional layer of security.

  • sanitize_text_field(): Strips tags and extra whitespace.
  • absint(): Ensures a value is a non-negative integer.

3. Capability Checks

Ensure that only authorized users can perform actions. In WordPress, the Contributor role is generally trusted to create content but not to bypass security filters (unlike Administrator or Editor who may have unfiltered_html capabilities). Plugins should not grant additional privileges that allow lower-level users to inject raw HTML or scripts.

For further information on securing WordPress plugins, the WordPress Plugin Handbook provides comprehensive guidelines on sanitization, escaping, and proper use of nonces.

Research Findings
Static analysis — not yet PoC-verified

Summary

The LiveSmart Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'livesmart_widget' shortcode. Authenticated attackers with Contributor-level permissions can inject arbitrary JavaScript by placing malicious payloads within shortcode attributes that are rendered without proper escaping.

Vulnerable Code

// File: livesmart-video-chat.php (inferred)
// Likely callback for the [livesmart_widget] shortcode

function render_livesmart_widget($atts) {
    $options = shortcode_atts([
        'server' => '',
        'room'   => '',
    ], $atts);

    // VULNERABLE: Attributes are concatenated directly into the HTML string without escaping
    return '<div id="livesmart-chat" data-server="' . $options['server'] . '" data-room="' . $options['room'] . '"></div>';
}

Security Fix

--- livesmart-video-chat.php
+++ livesmart-video-chat.php
@@ -1,7 +1,7 @@
 function render_livesmart_widget($atts) {
     $options = shortcode_atts([
         'server' => '',
         'room'   => '',
     ], $atts);
 
-    return '<div id="livesmart-chat" data-server="' . $options['server'] . '" data-room="' . $options['room'] . '"></div>';
+    return sprintf(
+        '<div id="livesmart-chat" data-server="%s" data-room="%s"></div>',
+        esc_attr($options['server']),
+        esc_attr($options['room'])
+    );
 }

Exploit Outline

1. Authenticate to the WordPress site with a Contributor-level account. 2. Create a new post or edit an existing draft. 3. Insert the [livesmart_widget] shortcode into the post content, including a payload designed to break out of an HTML attribute. Example: [livesmart_widget server='"><script>alert(document.domain)</script>']. 4. Save the post or submit it for review. 5. Navigate to the public-facing page or have an administrator view the post. The script will execute in the victim's browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.