WordPress Live Chat Plugin Exploited - Chat Sessions Manipulated

WP live chat support plugin, with more than 50,000+ installs is, again found vulnerable to grave vulnerability identified as CVE-2019-12498, which lets any unauthorized user steal chat history or hijack current chat sessions. Versions 8.0.32 and prior are vulnerable. Read about the full WP live chat support exploit in this article.

It was only a month ago when WP live chat support plugin was found to be vulnerable to severe cross-site scripting vulnerability. The infamous exploit had left scores of WordPress websites compromised. Following which WordPress had suspended WP live chat support plugin for any fresh installations temporarily.

WP Live chat Support was suspended earlier
WP Live chat Support was suspended earlier

Related article – Cross-Site Scripting in WordPress Live Chat Support Plugin

Technical Details: WP Live Chat Support Exploit

Researchers disclosed that the vulnerability has arisen due to a distorted validation check in the plugin which allows an unauthenticated user to access REST API functionality. And by extension to the powers of an authenticated user. Thus, he is able to exfiltrate chat logs and manipulate chat sessions.

The register_rest_route here are, accept chat, end chat, send message, as you will see in the picture below.

Due to the flawed wplc_api_permission_check function here, the validation check returns “true” for the permission check for logged in user, thus, giving any access to not logged in users.

Is your WordPress website hacked? Drop us a message here or chat with us now, and we will be happy to help 😊

Risks: WP Live Chat Support Exploit

According to the researchers, following are the risks your website faces due to the vulnerabilities in WP live chat support:

  • Attacker could Extract the entire chat history for all chat sessions
  • Hacker could hijack active chat sessions and manipulate it on will
  • Active chat sessions could be made to end abruptly as part of a denial of service (DoS) attack
  • Injected messages could be edited to conceal what any injected messages contained

Is your WordPress website hacked? Drop us a message here or chat with us now, and we will be happy to help 😊

Conclusion: WP Live Chat Support Exploit

Update To The Latest Version

After the security researchers reported the vulnerability to the developers, they patched and released the mended & updated version – 8.0.34. If you are still on version <=8.0.32 consider updating to the latest version, i.e. 8.0.34 to mitigate the risk.

Get a Complete Security Solution

Protecting your website round the clock is any day better than looking for measure to retrieve your website from a brutal hack. A Web Application Firewall, is a continuous monitoring system which monitors and protects your website from any attempted hack or cyber attack. Astra offers one such intelligent firewall which stops attacks like XSS, SQLi, bad bots, CSRF, & 100+ other cyber attacks. It identifies and blocks malicious IPs on its own. Astra Firewall adds to your website’s security immensely.

Get an Astra demo now!

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

Aakanchha is a tech & cybersecurity enthusiast. She is an active reader and writer of the cybersecurity genre.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close