Article Summary
Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support.
Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support. This XSS in wp live chat support plugin is in the versions preceding 8.0.27.
WP-live chat support plugin has more than 60,000 installations as per the official WordPress plugin directory and was updated only 15 hours ago.
Status of the Risk
The severity of the vulnerability could be estimated from the fact that any unauthenticated user (without even having an account) can exploit this vulnerability remotely by injecting malicious scripts in the vulnerable websites.
This vulnerability arose due to an unprotected admin_init
hook.
Which can be called by visiting either /wp-admin/admin-post.php
or /wp-admin/admin-ajax.php
by any unauthenticated attacker to arbitrarily update the option “wplc_custom_js
”.
Further, the contents of wplc_custom_js
are loaded in whichever page the live chat appears which means the malicious javascript will get loaded on the same pages, and normally malicious javascript loading will help attackers to achieve XSS easily.
Mitigate the Risk
Update to the latest version
The best possible solution for this is to update wp-live chat support to the latest versions i.e. version 8.0.27 and onward. After the vulnerability has been reported the developers took almost half a month to patch the vulnerable version. Since then, WP live chat support plugin has been patched twice. The current version available for download is 8.0.29.
WordPress Security Suite
Having a security guard on your website always helps. Astra WordPress Security Suite is tailored for WordPress and offers complete protection with its continuous and comprehensive firewall. In addition to this, Astra’s on-demand Malware Scanner scans and flags malicious files on just a click. Moreover, it takes less than 10 minutes for the first scan and even lesser for subsequent scans.