Bug in WordPress Live Chat Plugin Lets Hackers Inject Scripts

Site admins using WP Live Chat Support for WordPress are advised to update the plugin to the latest version to close a persistent cross-site scripting (XSS) vulnerability that can be abused without authentication.

The plugin is installed on over 60,000 websites and is advertised as a free alternative to a fully functional chat solution for customer engagement and conversion.

Risk of automated attacks

Researchers at Sucuri discovered that versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS, which can be exploited remotely by an attacker that does not have an account on the affected website.

TOP ARTICLES1/5READ MOREFacebook Bans Israeli Entity For Creating Fake Accounts

Without having to authenticate on the target website, hackers can automate their attacks to cover a larger number of victims. Add to this the popularity of the plugin and the low exploitation effort and you’ve got a recipe for disaster.

An XSS flaw is pretty serious in itself. It allows hackers to inject malicious code in websites or web apps and compromise visitors’ accounts or expose them to modified page content.

XSS can be persistent when the malicious code is added to a section that is stored on the server, such as user comments. When a user loads the tainted page, the malicious code is parsed by the browser completing the attacker’s instructions.

Details from Sucuri explain that exploiting the vulnerability is possible due to an unprotected ‘admin_init hook’ – a common attack vector for WordPress plugins.

The researchers say that the function ‘wplc_head_basic’ does not use run proper privilege checks to update the plugin settings.

The function then runs an action hook that is more critical, Sucuri’s John Castro shows in the image below:

“Since ‘admin_init’ hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  ‘wplc_custom_js’,” Castro details.

The content of the option is present on every page that loads the live chat support, so hackers targeting a vulnerable website can inject JavaScript code on multiple pages.

Sucuri notified the developers of the plugin on April 30, and a patched version was released on Wednesday.