In the module “Module Live Chat Pro (All in One Messaging)” (livechatpro), a guest can perform PHP Code injection in affected versions.


  • CVE ID: CVE-2024-36679
  • Published at: 2024-06-18
  • Advisory source:
  • Platform: PrestaShop
  • Product: livechatpro
  • Impacted release: <= 8.4.0 (see WARNING below)
  • Product author: ProQuality
  • Weakness: CWE-94
  • Severity: critical (10.0)


Due to a predictable token, the method Lcp::saveTranslations() suffer of a white writer that can inject PHP code into a PHP file which will lead to critical RCE.

WARNING : Author refuse to patch the vulnerability so you should consider to uninstall it. There is strong design issue which cannot be fixed by a hotfix. Version tagged as impacted is the only version we had time to produce a POC for it, author has updated things in newer versions but its token is still predictable. So you should consider that all versions are impacted.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: changed
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

  • Obtain admin access
  • Remove data from the associated PrestaShop
  • Complete takeover

Other recommendations

  • It’s recommended to delete this module.
  • Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.


Date Action
2023-05-24 Issue discovered during a code review by
2023-05-24 Contact PrestaShop Addons security Team to confirm version scope by author
2023-05-24 PrestaShop Addons security Team confirms version scope by author
2023-10-02 Relaunch for patch
2024-04-17 Relaunch for patch
2024-05-29 PrestaShop Addons put offline the module
2024-06-06 Received CVE ID
2024-06-18 Publish this security advisory