WP Live Chat Support is a popular WordPress plugin that allows users to install a pop-up chat plugin to their websites for customer service functions. The plugin has more than 60,000 users. The vulnerability was first discovered April 30, and a patch was issued this past week. An unauthenticated attacker could seamlessly exploit it, allowing them to inject JavaScript payloads into impacted sites, researchers with Sucuri who discovered the flaw said. The flaw exists due to a well-known attack vector in the plugin: An unprotected admin-init hook.
Source: https://threatpost.com/wordpress-wp-live-chat-support-plugin-fixes-xss-flaw/144856/