LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Telegram Bot Username

July 22, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Telegram Bot Username
Exploit ID EDB-ID:52376
Type exploitdb
Published 2025-07-22T00:00:00
Modified 2025-07-22T00:00:00

CVSS Information

Severity NONE
Vector NONE

CVE Information

  • CVE-2025-51396

Exploit Description

Exploit Title:…

Exploit Code

# Exploit Title: LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS)

via Telegram Bot Username

# Date: 09/06/2025

# Exploit Author: Manojkumar J (TheWhiteEvil)

# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/

# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/

# Software Link:

https://github.com/LiveHelperChat/livehelperchat/

# Version: <=4.61
# Patched Version: 4.61

# Category: Web Application

# Tested on: Mac OS Sequoia 15.5, Firefox

# CVE : CVE-2025-51396

# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51396

A stored cross-site scripting (XSS) vulnerability in Live Helper Chat

version ≤ 4.61 allows attackers to execute arbitrary JavaScript by

injecting a crafted payload into the Telegram Bot Username parameter. This

payload is stored and later executed when an admin or higher-privileged

user views or edits the Telegram Bot Username.

## Reproduction Steps:

1. Log in as an operator user in Live Helper Chat.

2. Navigate to `Settings > Live Help Configuration > Telegram Bot`.

3. In the **Bot Username** field, enter the following payload:

“`

“>

“`

4. Save the settings.

5. Revisit the Telegram configuration panel and — the payload will execute.

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.