CVE-2024-7869

HIGH

123.chat - Video Chat plugin for WordPress <1.3.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-7869. PoCs published by sh3bu.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2024-41662, an XSS vulnerability in VNote leading to RCE, and CVE-2024-7869, a stored XSS in the 123.chat WordPress plugin. It includes steps to reproduce, payload examples, and mitigation strategies.

Description

The 123.chat - Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

github WRITEUP
by sh3bu · poc
https://github.com/sh3bu/CVE-disclosures/tree/main/CVE-2024-7869

The repository provides a detailed technical analysis of CVE-2024-41662, an XSS vulnerability in VNote leading to RCE, and CVE-2024-7869, a stored XSS in the 123.chat WordPress plugin. It includes steps to reproduce, payload examples, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: VNote <=3.18.1, 123.chat - Video Chat <=1.3.1
No auth needed
Prerequisites: Access to create a note in VNote · Ability to inject malicious input in the 123.chat plugin
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.0035
EPSS Percentile 27.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
123.chat/123.chat - Video Chat < 1.3.1
Published Oct 01, 2024
Tracked Since Feb 18, 2026