Security Alert Summary
The LiveSmart Video Chat Live Video Chat plugin for WordPress (all versions up to and including 1.2) contains a stored cross-site scripting (XSS) vulnerability in the livesmart_widget shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allows authenticated users with contributor-level access and above to inject JavaScript that executes when an affected page is viewed.
CVE Details
- CVE ID: CVE-2026-9644
- Affected plugin / component: The LiveSmart Video Chat Live Video Chat plugin for WordPress
- Affected versions: All versions up to, and including, 1.2
- Published: May 28, 2026 at 06:16:29 AM UTC
- Last modified: May 28, 2026 at 01:45:25 PM UTC
- CVSS v3.1: Base score 6.4, MEDIUM; vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Requires authenticated user privileges (Privileges Required: Low – contributor-level access and above). User Interaction: None.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue arising from insufficient input sanitization and missing output escaping for attributes provided to the livesmart_widget shortcode. When a contributor or higher publishes content that includes crafted shortcode attributes, those attributes can contain JavaScript which is stored and later rendered without proper escaping.
Because the injected content is stored in pages and executed in viewers’ browsers when the page is loaded, the attack does not require user interaction beyond visiting the affected page. The description identifies the shortcode name livesmart_widget as the insertion point for malicious attributes.
Impact is limited to actions possible via script execution in the context of the affected page: for example, disclosure of data accessible to the page, modification of page content rendered to viewers, and facilitating targeted social engineering. There is no CVE data here that indicates remote code execution on the server or direct compromise of the WordPress core.
How This Could Impact Your Website
In a realistic scenario, a site administrator maintains content and user accounts while internal staff and an external contractor or contributor add or edit posts and pages. If a contributor-level user submits a page or shortcode attribute containing a malicious script, that script could execute in the browsers of site owners, editors, or visitors who view the page.
- Internal staff or administrators viewing the infected page could have data accessible to that page exposed to the attacker-controlled script.
- The attacker could use in-page script execution to harvest or expose internal user email addresses that appear on pages, increasing the risk of targeted phishing or social engineering against staff or contractors.
- The presence of stored XSS can undermine user trust and make site editors and contributors targets for follow-up attacks that rely on the injected content.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and editor accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and page content for unusual changes or unexpected script tags in posts and shortcodes.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
