bookmark_borderWP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

bookmark_borderStored XSS – ImageBoss Plugin v.3.0.4 In WordPress v.5.4.1

Vulnerability Class: XSS | Vulnerable Product: ImageBoss v.3.0.4

What is ImageBoss?

Content-aware image resizing, cropping, compression, cache, and globally deliver. All web development best practices, hassle-free in one simple and powerful API.ImageBoss is a tool in the Image Processing and Management category of a tech stack.

Vulnerable Code

Settings.php contains a line of code that creates an input field and echo the value of the input back to the DOM with the following PHP code <?php echo get_option(‘ibup_imageboss_source’) ?> .

        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

Contents of the Settings.php File

function image_boss_settings() {

<form method="post" action="options.php" id="image_boss_settings">
  <div class="wrap">

    <?php if (isset($_GET['settings-updated'])) { ?>
      <div class='updated'><p>You have successfully saved the settings.</p></div>
    <?php } ?>

    <h3>Step 1: Account</h3>
    <p>Create your <a href="" target="_blank">ImageBoss Account</a>.</p>

    <h3>Step 2: Image Source</h3>
      Connect ImageBoss to your images on <a target='_blank' href=''>ImageBoss Dashboard</a> by adding your image source.
    <?php settings_fields('imageboss-settings-group'); ?>

    <h3>Step 3: Source Name</h3>
    <p>This is the name you gave to your Image Source on Step 2.</p>
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

      <?php echo get_option('ibup_imageboss_active') ? 'checked' : '' ?>
    /> <label for="ibup_imageboss_active">If you have all set, check this box to activate ImageBoss on your images.</label>
    <h3>Advanced Configurations</h3>
    <p>By default ImageBoss will wrap all your images. If you don't want this to happen you can add bellow the hosts you want ImageBoss to intercept:</p>
        rows="4" cols="80"
      ><?php echo get_option('ibup_imageboss_hosts') ?></textarea> <br /> <br />
    <input type="submit" class="button-primary" value="Save Changes" />

  </div> <br /> <br /> <br /> <br />
    <h3>Useful Links</h3>
    <a class='button action' target='_blank' href=''>Create Account</a>
    <a class='button action' target='_blank' href=''>ImageBoss Dashboard</a>
    <a class='button action' target='_blank' href=''>ImageBoss Docs</a>
    <a class='button action' target='_blank' href=''>Plugin Documentation</a>
    <a class='button action' target='_blank' href=''>Report a Bug</a>

Exploit and Payload In Action

chevonphillip"><img src=x onerror=alert(1337);>"

Video PoC

Recommended Fix

Vendor Fix

Thank you @igorescobar for fixing this bug in a timely manner.


  • 04/30/2020 – CVE requested from
  • 04/30/2020 – Write-up created pending public disclosure.
  • 05/01/2020 – Reported Vulnerability to the vendor.
  • 05/01/2020 – Reported to WordPress Plugin Security Team.
  • 05/11/2020 – Reply from the vendor.
  • 05/11/2020 – Bug fixed in v.3.0.6.