Critical Vulnerability Information Vulnerability Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field Date: 09/06/2025 Vulnerability Author: Manojkumar J (TheWhiteEvil) Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software Link: https://github.com/LiveHelperChat/livehelperchat/ Version: <=4.61 Fixed Version: 4.61 Category: Web Application Test Environment: Mac OS Sequoia 15.5, Firefox CVE ID: CVE-2025-51398 Exploit Link: https://github.com/Thewhiteevil/CVE-2025-51398 Reference Link: https://livehelperchat.com/4.61v-security-fixes-724a.html Vulnerability Description Live Helper Chat versions <=4.61 are affected by a stored Cross-Site Scripting (XSS) vulnerability. Attackers can inject malicious payloads into the Facebook Integration Page Name field, allowing them to execute arbitrary JavaScript code. When a user with higher privileges (such as an operator or administrator) accesses or edits the Facebook integration, the payload is stored and executed, resulting in a stored XSS vulnerability. Reproduction Steps 1. Log in as an operator. 2. Navigate to your Facebook Page Integration settings. 3. Create a new Facebook Page Integration and enter the following payload in the Facebook Page Integration Name field: 4. Save the changes. 5. When a user with higher privileges accesses or edits the Facebook Page Integration, the payload will be stored and executed, triggering a stored XSS attack.