Description
The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426
Third Party Advisory x_refsource_misc
https://github.com/CodeCabin/wp-live-chat-support/blob/master/readme.txt
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9697
Scores
CVSS v3
9.8
EPSS
0.1012
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
3cx/live_chat
< 8.0.07
Published
Jul 02, 2018
Tracked Since
Feb 18, 2026