A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it
Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.
The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.
It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.
Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.
Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.
An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.
In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:
Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.
“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option “wplc_custom_js”. “
To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27
Below the timeline of the flaw:
- April 30, 2019: Initial contact attempt.
- May 15, 2019: Patch is live.