## https://sploitus.com/exploit?id=WPEX-ID:012C5B64-EF76-4539-AFD8-40F6C329AE88
Setup:
- In the General Settings of the plugin, check the "Show Chat Bubble at website" checkbox and save.
- In the "Bubble Items" enable the "Simple CallBack" and save.
Attacker (unauthenticated):
- Access the blog and click on the contact bubble.
- In any of the offered fields (fname or fphone), enter the following payload and click "Submit": <script>alert(/XSS/)</script>
The XSS will be triggered when an admin will view the related Callback Message via the Callback dashboard (/wp-admin/edit.php?post_type=cbb_callback => /wp-admin/post.php?post=21&action=edit)