Overview
The vulnerability identified as CVE-2025-51401 affects LiveHelperChat version 4.61, exposing users to a Stored Cross-Site Scripting (XSS) attack through the chat transfer function. This flaw allows an attacker to inject malicious scripts that are stored on the server and executed in the context of another user’s session.
Technical Details
The vulnerability arises when user input is not adequately sanitized during the chat transfer process. Specifically, when an administrator or operator transfers a chat session, the input data can include malicious JavaScript code. This code is stored in the database and subsequently rendered in the browser of any user who views the chat logs. For instance, if an attacker sends a message containing a script that redirects users to a phishing site, that script will execute whenever the chat history is accessed.
Additionally, the lack of proper context-aware output encoding means that the injected script will run with the privileges of the logged-in user, potentially leading to unauthorized actions such as session hijacking or data exfiltration. This makes the vulnerability particularly dangerous in environments where multiple users interact within the chat system.
Impact
The potential consequences of exploiting this vulnerability are severe. Attackers can leverage the stored XSS to steal sensitive information, such as user credentials and personal data, or perform actions on behalf of users without their consent. In a corporate setting, this could lead to data breaches, financial losses, and reputational damage.
Mitigation
To protect against CVE-2025-51401, it is crucial for organizations using LiveHelperChat to implement input validation and output encoding mechanisms. Ensure that all user inputs are properly sanitized to eliminate the possibility of script injection. Additionally, consider upgrading to the latest version of LiveHelperChat, as software updates often include critical security patches.
Security professionals should also conduct regular security audits and penetration testing to identify and remediate vulnerabilities. Educating users about the risks associated with XSS attacks and encouraging them to report suspicious activities can further enhance security posture. Implementing a Content Security Policy (CSP) can also help mitigate the risk of XSS by restricting the sources from which scripts can be executed.
Proof of Concept (PoC)
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51401
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51401
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Operator Chat Name Field Triggers on
Chat Owner Transfer Functionality on Live Helper Chat.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your operator settings page.
3. In the **Name** field, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. Initiate a chat with a visitor.
6. Transfer the chat to another operator — the XSS payload executes in the
receiving operator’s chat interface.