CVE-2025-51397 is a stored cross-site scripting (XSS) vulnerability identified in the Facebook Chat module of Live Helper Chat version 4.60. This vulnerability arises from improper sanitization of user input in the 'Surname' parameter within the Recipient Lists feature. An attacker can inject crafted malicious scripts or HTML content into this parameter, which is then stored and later rendered in the web interface without adequate encoding or filtering. When a legitimate user views the affected chat interface or recipient list, the malicious payload executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or performing actions on behalf of the user. The vulnerability is classified under CWE-779, which relates to improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and limited confidentiality and integrity impacts (C:L/I:L) but no availability impact (A:N). No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability requires the attacker to have some level of privileges on the system and to trick a user into interacting with the malicious payload, which limits its exploitation but still poses a significant risk in environments where the chat module is used for internal or customer communications.

For European organizations using Live Helper Chat, especially those integrating the Facebook Chat module for customer support or internal communications, this vulnerability could lead to unauthorized disclosure of sensitive information and manipulation of user sessions. Attackers exploiting this flaw could execute arbitrary scripts in the context of the victim’s browser, potentially stealing authentication tokens or performing actions with the victim’s privileges. This could compromise confidentiality and integrity of communications and user data. Given the medium severity and requirement for some privileges and user interaction, the impact is moderate but could escalate if combined with other vulnerabilities or social engineering tactics. Organizations in sectors such as finance, healthcare, and government, which rely heavily on secure communications, may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions if attackers leverage this vulnerability to gain further footholds or exfiltrate data.

To mitigate this vulnerability, organizations should immediately audit their Live Helper Chat deployments and restrict access to the Facebook Chat module to trusted users only. Input validation and output encoding must be enforced rigorously on the 'Surname' parameter and any other user-supplied data fields to prevent injection of malicious scripts. Until an official patch is released, applying web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the Recipient Lists can reduce risk. Additionally, organizations should implement strict Content Security Policies (CSP) to limit the execution of unauthorized scripts in browsers. Regular user training to recognize phishing or social engineering attempts that might trigger the malicious payload is also recommended. Monitoring logs for unusual activity related to chat usage and promptly applying updates once patches are available will further reduce exposure.