LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Operator Surname

July 22, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Operator Surname
Exploit ID EDB-ID:52377
Type exploitdb
Published 2025-07-22T00:00:00
Modified 2025-07-22T00:00:00

CVSS Information

Severity NONE
Vector NONE

CVE Information

  • CVE-2025-51397

Exploit Description

Exploit Title:…

Exploit Code

# Exploit Title: LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Operator Surname

# Date: 09/06/2025

# Exploit Author: Manojkumar J (TheWhiteEvil)

# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/

# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/

# Software Link:

https://github.com/LiveHelperChat/livehelperchat/

# Version: <=4.61
# Patched Version: 4.61

# Category: Web Application

# Tested on: Mac OS Sequoia 15.5, Firefox

# CVE : CVE-2025-51397

# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397

A stored cross-site scripting (XSS) vulnerability in Live Helper Chat

version ≤ 4.61 allows attackers to execute arbitrary JavaScript by

injecting a crafted payload into the Operator Surname field. This payload

is stored and later executed when an admin or higher-privileged user views

the Recipients List where the attacker is listed as the Owner.

## Reproduction Steps:

1. Log in as an operator.

2. Navigate to your Operator Surname field.

3. Create new Operator Surname or Modify the Operator Surname, enter the

following payload:

“`

“>

“`

4. Save the changes.

5. This payload is stored and later executed when an admin or

higher-privileged user views the Recipients List where the attacker is

listed as the Owner.

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.