Pierluigi Paganini May 17, 2019

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

• April 30, 2019: Initial contact attempt.
• May 15, 2019: Patch is live.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

I’m one of the finalists thanks to your support

Pierluigi Paganini

(SecurityAffairs – Live Chat Support, Hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]