# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51397 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Operator Surname field. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Operator Surname field. 3. Create new Operator Surname or Modify the Operator Surname, enter the following payload: ``` "> ``` 4. Save the changes. 5. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner.