Login Sign Up

CVE-2024-4149

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in the Floating Chat Widget WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute in other users' browsers. It affects WordPress sites using plugin versions before 3.2.3, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:
  • Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin
Versions: All versions before 3.2.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin-level access to exploit. Particularly relevant in WordPress multisite setups where unfiltered_html capability is disabled.

📦 What is this software?

Floating Chat Widget by Premio

View all CVEs affecting Floating Chat Widget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leads to site takeover, credential theft from all users, or malware distribution to visitors.

🟠

Likely Case

Privileged admin user injects malicious JavaScript that steals session cookies or redirects users to phishing sites.

🟢

If Mitigated

Limited to admin users only, with minimal impact if proper user access controls and monitoring are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative privileges. Attack vector is through plugin settings interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.3

Vendor Advisory: https://wpscan.com/vulnerability/0256ec2a-f1a9-4110-9978-ee88f9e24237/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Floating Chat Widget' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.2.3+ from WordPress repository and replace existing files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate floating-chat-widget

Restrict Admin Access

all

Limit administrative accounts to trusted users only and implement multi-factor authentication.

🧯 If You Can't Patch

  • Remove admin privileges from untrusted users immediately.
  • Implement Content Security Policy (CSP) headers to restrict script execution.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Floating Chat Widget → Version number. If version is below 3.2.3, you are vulnerable.

Check Version:

wp plugin get floating-chat-widget --field=version

Verify Fix Applied:

Confirm plugin version is 3.2.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin setting modifications by admin users
  • JavaScript injection patterns in plugin option values

Network Indicators:

  • Unexpected external script loads from your domain
  • Suspicious outbound connections following page loads

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="floating-chat-widget"

📊 Metadata

CVE ID: CVE-2024-4149
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 13, 2024
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4149, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)