bookmark_borderWP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

bookmark_borderStored XSS – ImageBoss Plugin v.3.0.4 In WordPress v.5.4.1

Vulnerability Class: XSS | Vulnerable Product: ImageBoss v.3.0.4

What is ImageBoss?

Content-aware image resizing, cropping, compression, cache, and globally deliver. All web development best practices, hassle-free in one simple and powerful API.ImageBoss is a tool in the Image Processing and Management category of a tech stack.

Vulnerable Code

Settings.php contains a line of code that creates an input field and echo the value of the input back to the DOM with the following PHP code <?php echo get_option(‘ibup_imageboss_source’) ?> .

        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

Contents of the Settings.php File

function image_boss_settings() {

<form method="post" action="options.php" id="image_boss_settings">
  <div class="wrap">

    <?php if (isset($_GET['settings-updated'])) { ?>
      <div class='updated'><p>You have successfully saved the settings.</p></div>
    <?php } ?>

    <h3>Step 1: Account</h3>
    <p>Create your <a href="" target="_blank">ImageBoss Account</a>.</p>

    <h3>Step 2: Image Source</h3>
      Connect ImageBoss to your images on <a target='_blank' href=''>ImageBoss Dashboard</a> by adding your image source.
    <?php settings_fields('imageboss-settings-group'); ?>

    <h3>Step 3: Source Name</h3>
    <p>This is the name you gave to your Image Source on Step 2.</p>
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

      <?php echo get_option('ibup_imageboss_active') ? 'checked' : '' ?>
    /> <label for="ibup_imageboss_active">If you have all set, check this box to activate ImageBoss on your images.</label>
    <h3>Advanced Configurations</h3>
    <p>By default ImageBoss will wrap all your images. If you don't want this to happen you can add bellow the hosts you want ImageBoss to intercept:</p>
        rows="4" cols="80"
      ><?php echo get_option('ibup_imageboss_hosts') ?></textarea> <br /> <br />
    <input type="submit" class="button-primary" value="Save Changes" />

  </div> <br /> <br /> <br /> <br />
    <h3>Useful Links</h3>
    <a class='button action' target='_blank' href=''>Create Account</a>
    <a class='button action' target='_blank' href=''>ImageBoss Dashboard</a>
    <a class='button action' target='_blank' href=''>ImageBoss Docs</a>
    <a class='button action' target='_blank' href=''>Plugin Documentation</a>
    <a class='button action' target='_blank' href=''>Report a Bug</a>

Exploit and Payload In Action

chevonphillip"><img src=x onerror=alert(1337);>"

Video PoC

Recommended Fix

Vendor Fix

Thank you @igorescobar for fixing this bug in a timely manner.


  • 04/30/2020 – CVE requested from
  • 04/30/2020 – Write-up created pending public disclosure.
  • 05/01/2020 – Reported Vulnerability to the vendor.
  • 05/01/2020 – Reported to WordPress Plugin Security Team.
  • 05/11/2020 – Reply from the vendor.
  • 05/11/2020 – Bug fixed in v.3.0.6.

bookmark_borderSub-Domain Takeovers — How Can Companies Better Secure Their Assets? Part 1

What are Sub-Domains?

For those of you who may not know what a sub-domain is here’s a brief description in my own words.

Sub-Domains are children to a parent domain or top-level domains (TLD). For example, may have a sub-domain with the following URLs and

Why do Sub-Domains exist?

There are several reasons why sub-domains are used. Here are some of the main reasons I have come across during my research.

  • CNAME (Canonical Name Record) — pointing to a third party service that includes WordPress, Pantheon, and GitHub Pages.
  • Hosting static resources — such as images, files, and other data that may not necessarily need to be hosted on a company’s internal servers. Services such as Amazon Web Services (AWS), Microsoft’s Azure, Google Cloud Engine, and Content Delivery Networks (CDNs).
  • Development and Staging Environments — creating sub-domains that point to servers that aren’t meant to be public or discovered by end-users or web crawlers.
  • API endpoints integrations — creating sub-domains that point to an API endpoint that is meant to serve RESTFUL data to and from applications.