XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using 
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

(From securityaffairs.co)

WordPress 5.2 arrives with Site Health Check and PHP Error Protection

WordPress.org today launched WordPress 5.2, which focuses on helping you fix your site in the blog management tool. Version 5.2, which was developed by 327 volunteer contributors, can help you identify and fix configuration issues and fatal errors, whether you are building a site for personal use or managing multiple sites for clients. You can download the new release now from WordPress.org/Download.

WordPress is a content management system (CMS) that powers over 30% of the web. The latest version is dubbed “Jaco,” in honor of renowned and revolutionary jazz bassist Jaco Pastorius.

New WordPress 5.2 features

WordPress 5.1 introduced Site Health, a suite of features focused on security and speed. WordPress 5.2 builds on the suite with Site Health Check, which adds two new pages to help debug common configuration issues. Site Health Check also adds a space where developers can include debugging information for site maintainers.

Next is PHP Error Protection, an administrator-focused update that lets you safely fix or manage fatal errors without requiring developer time. PHP Error Protection features better handling of the “white screen of death.” It also offers a way to enter recovery mode, which pauses error-causing plugins or themes.

Additionally, WordPress 5.2 brings accessibility updates to improve contextual awareness and keyboard navigation flow for those using screen readers and other assistive technologies. There are also 13 new dashboard icons and plugin compatibility checks — WordPress will now automatically determine if your site’s version of PHP is compatible with installed plugins. If the plugin requires a higher version of PHP than your site currently uses, WordPress will not let you activate it.

Developer features

WordPress 5.2 also brings the following for developers:

WordPress 5.2 was released some three months after its predecessor. The team did not mention WordPress 5.3, but it’s likely already in the works.

(From venturebeat.com)