Cross-Site Scripting in WordPress Live Chat Support Plugin
Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support. This XSS in wp live chat support plugin is in the versions preceding 8.0.27.
WP-live chat support plugin has more than 60,000 installations as per the official WordPress plugin directory and was updated only 15 hours ago.
Contents of This Guide
Status of the Risk
The severity of the vulnerability could be estimated from the fact that any unauthenticated user (without even having an account) can exploit this vulnerability remotely by injecting malicious scripts in the vulnerable websites.
This vulnerability arose due to an unprotected
Which can be called by visiting either
/wp-admin/admin-ajax.php by any unauthenticated attacker to arbitrarily update the option “
Further, the contents of
Mitigate the Risk
Update to the latest version
The best possible solution for this is to update wp-live chat support to the latest versions i.e. version 8.0.27 and onward. After the vulnerability has been reported the developers took almost half a month to patch the vulnerable version. Since then, WP live chat support plugin has been patched twice. The current version available for download is 8.0.29.
WordPress Security Suite
Having a security guard on your website always helps. Astra WordPress Security Suite is tailored for WordPress and offers complete protection with its continuous and comprehensive firewall. In addition to this, Astra’s on-demand Malware Scanner scans and flags malicious files on just a click. Moreover, it takes less than 10 minutes for the first scan and even lesser for subsequent scans.