LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

EDB-ID:

52380

CVE:

2025-51401

EDB Verified:

Author:

Manojkumar J

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2025-07-22

Vulnerable App: 
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51401
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51401

A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Operator Chat Name Field Triggers on
Chat Owner Transfer Functionality on Live Helper Chat.

## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your operator settings page.
3. In the **Name** field, enter the following payload:
   ```
  "><img src="x" onerror="prompt(1);">
   ```
4. Save the changes.
5. Initiate a chat with a visitor.
6. Transfer the chat to another operator — the XSS payload executes in the
receiving operator’s chat interface.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services