Cross-Site Scripting in WordPress live chat support plugin

Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support. This XSS in wp live chat support plugin is in the versions preceding 8.0.27.

WP-live chat support plugin has more than 60,000 installations as per the official WordPress plugin directory and was updated only 15 hours ago.

WP live chat support on WordPress

Status of the Risk

The severity of the vulnerability could be estimated from the fact that any unauthenticated user (without even having an account) can exploit this vulnerability remotely by injecting malicious scripts in the vulnerable websites.

This vulnerability arose due to an unprotected admin_init hook.

 

Which can be called by visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php by any unauthenticated attacker to arbitrarily update the option “wplc_custom_js”.

 

Further, the contents of wplc_custom_js are loaded in whichever page the live chat appears which means the malicious javascript will get loaded on the same pages, and normally malicious javascript loading will help attackers to achieve XSS easily.

Mitigate the Risk

Update to the latest version

The best possible solution for this is to update wp-live chat support to the latest versions i.e. version 8.0.27 and onward. After the vulnerability has been reported the developers took almost half a month to patch the vulnerable version. Since then, WP live chat support plugin has been patched twice. The current version available for download is 8.0.29.

WordPress Security Suite

Having a security guard on your website always helps. Astra WordPress Security Suite is tailored for WordPress and offers complete protection with its continuous and comprehensive firewall. In addition to this, Astra’s on-demand Malware Scanner scans and flags malicious files on just a click. Moreover, it takes less than 10 minutes for the first scan and even lesser for subsequent scans.

Get an Astra demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

A tech enthusiast. She loves to learn and write about CMS security. And a Potterhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close