CVE-2022-3391 is a medium-severity vulnerability affecting the Retain Live Chat WordPress plugin version 0.1. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw categorized under CWE-79. The issue arises because the plugin fails to properly sanitize and escape certain settings inputs. This improper handling allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML content. The attack vector requires the attacker to have high privileges (admin-level access) and some user interaction, as the CVSS vector indicates user interaction is required. The impact of this vulnerability primarily affects the confidentiality and integrity of the affected site, as malicious scripts could execute in the context of other users viewing the affected pages, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability does not affect availability. The CVSS score of 4.8 reflects a medium severity level, with network attack vector, low attack complexity, and privileges required. There are no known exploits in the wild, and no patches or updates have been linked or published at the time of this report. The vulnerability was published on October 25, 2022, and was assigned by WPScan. Given the plugin is relatively unknown and at an early version (0.1), the user base may be limited, but any WordPress site using this plugin is at risk if the vulnerability is not mitigated.

For European organizations using the Retain Live Chat plugin version 0.1, this vulnerability poses a risk primarily to the confidentiality and integrity of their WordPress sites. Since exploitation requires admin-level access, the threat is more relevant in scenarios where internal users or attackers have already gained elevated privileges or where privilege escalation is possible. Successful exploitation could lead to persistent malicious script execution, enabling attackers to steal session cookies, perform actions on behalf of other users, or inject further malicious payloads. This could result in data breaches, reputational damage, and potential regulatory non-compliance under GDPR if personal data is compromised. The impact is heightened in multisite WordPress setups common in larger organizations or managed service providers, where the unfiltered_html capability is typically restricted but does not prevent this vulnerability. Although no known exploits are reported, the presence of this vulnerability increases the attack surface and could be leveraged in targeted attacks against European entities relying on this plugin for live chat functionality on their websites.

1. Immediate mitigation involves removing or disabling the Retain Live Chat plugin version 0.1 until a patched version is released. 2. If removal is not feasible, restrict admin access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 3. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting the sources from which scripts can be loaded and executed. 4. Regularly audit and sanitize all plugin settings and inputs manually if possible, to detect and remove any injected scripts. 5. Monitor WordPress logs and user activity for suspicious behavior indicative of exploitation attempts. 6. Stay informed about updates from the plugin vendor or WordPress security advisories to apply patches promptly once available. 7. Consider alternative, well-maintained live chat plugins with a strong security track record to replace Retain Live Chat.