# Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection  
# Google Dork: inurl:"wp-content/plugins/screets-lcx"  
# Date: 2019/06/25  
# Exploit Author: m0ze  
# Vendor Homepage:  
# Software Link:  
# Version: 2.8.3  
# Tested on: Windows 10 / Parrot OS  
# CVE : -  
Weak security measures like bad input field data filtering has been  
discovered in the Ā«Live Chat UnlimitedĀ». Current version of this  
premium WordPress plugin is 2.8.3.  
Go to the demo website and open chat window by clicking on Ā«Open/closeĀ» link, then click on Ā«Online modeĀ» to go online. Use your payload inside input field and press [Enter].   
Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other  
Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze  
Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze