Site admins using WP Live Chat Support for WordPress are advised to update the plugin to the latest version to close a persistent cross-site scripting (XSS) vulnerability that can be abused without authentication. […]

from https://www.bleepingcomputer.com/news/security/bug-in-wordpress-live-chat-plugin-lets-hackers-inject-scripts/