WordPress Live Chat Plugin Exploited – Chat Sessions Manipulated
WP live chat support plugin, with more than 50,000+ installs is, again found vulnerable to grave vulnerability identified as CVE-2019-12498, which lets any unauthorized user steal chat history or hijack current chat sessions. Versions 8.0.32 and prior are vulnerable. Read about the full WP live chat support exploit in this article.
It was only a month ago when WP live chat support plugin was found to be vulnerable to severe cross-site scripting vulnerability. The infamous exploit had left scores of WordPress websites compromised. Following which WordPress had suspended WP live chat support plugin for any fresh installations temporarily.
Related article – Cross-Site Scripting in WordPress Live Chat Support Plugin
Technical Details: WP Live Chat Support Exploit
Researchers disclosed that the vulnerability has arisen due to a distorted validation check in the plugin which allows an unauthenticated user to access REST API functionality. And by extension to the powers of an authenticated user. Thus, he is able to exfiltrate chat logs and manipulate chat sessions.
register_rest_route here are, accept chat, end chat, send message, as you will see in the picture below.
Due to the flawed
wplc_api_permission_check function here, the validation check returns “true” for the permission check for logged in user, thus, giving any access to not logged in users.
Risks: WP Live Chat Support Exploit
According to the researchers, following are the risks your website faces due to the vulnerabilities in WP live chat support:
- Attacker could Extract the entire chat history for all chat sessions
- Hacker could hijack active chat sessions and manipulate it on will
- Active chat sessions could be made to end abruptly as part of a denial of service (DoS) attack
- Injected messages could be edited to conceal what any injected messages contained
Conclusion: WP Live Chat Support Exploit
Update To The Latest Version
After the security researchers reported the vulnerability to the developers, they patched and released the mended & updated version – 8.0.34. If you are still on version <=8.0.32 consider updating to the latest version, i.e. 8.0.34 to mitigate the risk.
Get a Complete Security Solution
Protecting your website round the clock is any day better than looking for measure to retrieve your website from a brutal hack. A Web Application Firewall, is a continuous monitoring system which monitors and protects your website from any attempted hack or cyber attack. Astra offers one such intelligent firewall which stops attacks like XSS, SQLi, bad bots, CSRF, & 100+ other cyber attacks. It identifies and blocks malicious IPs on its own. Astra Firewall adds to your website’s security immensely.