LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname

Author: Manojkumar J
type: webapps
platform: php
port: 
date_added: 2025-07-22  
date_updated: 2025-07-22  
verified: 0  
codes: CVE-2025-51397  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52377.txt  
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51397
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397

A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Operator Surname field. This payload
is stored and later executed when an admin or higher-privileged user views
the Recipients List where the attacker is listed as the Owner.

## Reproduction Steps:

1. Log in as an operator.
2. Navigate to your Operator Surname field.
3. Create new Operator Surname or Modify the Operator Surname, enter the
following payload:
   ```
  "><img src="x" onerror="prompt(1);">
   ```
4. Save the changes.
5. This payload is stored and later executed when an admin or
higher-privileged user views the Recipients List where the attacker is
listed as the Owner.