LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51397
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397
# Reference: https://livehelperchat.com/4.61v-security-fixes-724a.html
https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Operator Surname field. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Operator Surname field.
3. Create new Operator Surname or Modify the Operator Surname, enter the following payload:
```"><img src="x" onerror="prompt(1);">```
5. Save the changes.
6. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner.
<img width="1361" height="713" alt="image" src="https://github.com/user-attachments/assets/f4829c29-0d7b-4b2b-b912-1a5424bc07a3" />
[4.0K] /data/pocs/7587fb31116f2dd91fc6bacf325c8bc8b63bed65
└── [1.6K] README.md
0 directories, 1 file