PES Solutions

XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites

2019-05-20
Administrator

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using 
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

  • April 30, 2019: Initial contact attempt.
  • May 15, 2019: Patch is live.

(From securityaffairs.co)

Privacy Policy

At SPES Solutions, we take the privacy matter seriously. In this dark era, where most of companies and organizations confuse you with hundred-pages long ToS and Privacy Agreement but at the end may also sell your data out this way or another, we, SPES Solutions do NOT and will NEVER give out or sell your data at any means or any way possible. 

Our privacy policy is simple:
+ Your access and usage of the site https://wp.spes.solutions are anonymously logged. This is for monitoring and trouble-shooting the site's performance, security only.
+ Your information provided in contact form is temporally stored here at https://wp.spes.solutions for faster responses. All information will be periodically pulled offline for archive.
+ Your chat with us stay on 3rd party service Tidio, protected by their privacy policy. We constantly remind our visitors do not share any sensitive information via chat. 
SPES Solutions' Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may include their practices and instructions about how to opt-out of certain options. 
This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect in SPES Solutions. This policy is not applicable to any information collected offline or via channels other than this website. If you use any of our services, we will have a seperate privacy agreements along with all neccessary details depends on your needs.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us through email at sales@spes.solutions.

Please note that our Privacy Policy is subjected to change without notice. By using our website, you hereby consent to our Privacy Policy.

© 2019 SPES Solutions Ltd. All rights reserved.
facebook-official