PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9644 nhadjidimitrov CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the LiveSmart Video Chat Live Video Chat plugin for WordPress. The flaw resides in the plugin's 'livesmart_widget' shortcode, where insufficient input sanitization and output escaping on user-supplied attributes allow authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. These scripts execute when any user accesses a page containing the injected content. The vulnerability affects all versions up to and including 1.2. The issue was disclosed on 2026-05-28 with a CVSS 3.1 score of 6.4 (Medium severity).

Vendor
nhadjidimitrov
Product
LiveSmart Video Chat Live Video Chat
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using LiveSmart Video Chat plugin; security teams managing content management system deployments; developers maintaining WordPress plugins with shortcode functionality

Technical summary

The vulnerability stems from improper sanitization of user-supplied attributes within the 'livesmart_widget' shortcode handler. When contributors or higher-privileged users create or edit posts containing this shortcode, unescaped attribute values are stored in the database and rendered without adequate output encoding. This enables persistent JavaScript injection that executes in the context of any subsequent visitor's browser session. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects network accessibility, low attack complexity, low privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

  • Update LiveSmart Video Chat plugin to version 1.3 or later
  • Review and restrict contributor-level user permissions where possible
  • Implement Content Security Policy headers to mitigate XSS impact
  • Audit existing posts and pages for unauthorized shortcode usage
  • Consider Web Application Firewall rules to filter suspicious shortcode attributes

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository changeset. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as the root cause. Attack vector requires authenticated access with contributor privileges or higher.

Official resources

2026-05-28