911 Hack Removal

Cross-Site Scripting in WordPress Live Chat Support Plugin

Updated on: March 29, 2020

Cross-Site Scripting in WordPress Live Chat Support Plugin

Article Summary

Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support.

Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support. This XSS in wp live chat support plugin is in the versions preceding 8.0.27.

WP-live chat support plugin has more than 60,000 installations as per the official WordPress plugin directory and was updated only 15 hours ago.

WP live chat support on WordPress

Status of the Risk

The severity of the vulnerability could be estimated from the fact that any unauthenticated user (without even having an account) can exploit this vulnerability remotely by injecting malicious scripts in the vulnerable websites.

This vulnerability arose due to an unprotected admin_init hook.

Which can be called by visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php by any unauthenticated attacker to arbitrarily update the option “wplc_custom_js”.

Further, the contents of wplc_custom_js are loaded in whichever page the live chat appears which means the malicious javascript will get loaded on the same pages, and normally malicious javascript loading will help attackers to achieve XSS easily.

Mitigate the Risk

Update to the latest version

The best possible solution for this is to update wp-live chat support to the latest versions i.e. version 8.0.27 and onward. After the vulnerability has been reported the developers took almost half a month to patch the vulnerable version. Since then, WP live chat support plugin has been patched twice. The current version available for download is 8.0.29.

WordPress Security Suite

Having a security guard on your website always helps. Astra WordPress Security Suite is tailored for WordPress and offers complete protection with its continuous and comprehensive firewall. In addition to this, Astra’s on-demand Malware Scanner scans and flags malicious files on just a click. Moreover, it takes less than 10 minutes for the first scan and even lesser for subsequent scans.

Get an Astra demo now!

Was this post helpful?

Tags: , ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany