The developers of the WP Live Chat Support plugin, which has over 50,000 installs, advise users to update the plugin to version 8.0.33 immediately or older. The fact is that a critical vulnerability has been discovered in the plugin, which allows an attacker who does not have valid credentials to bypass the authentication mechanism.
WP Live Chat Support allows you to add a free chat to your site through which employees can provide support and assistance to resource visitors. Experts from Alert Logic discovered that plugin version 8.0.32 and below allows an unauthenticated attacker to access REST API endpoints that should not normally be available. The vulnerability has received the identifier
CVE-2019-12498. As a result of exploiting the bug, an attacker gets the opportunity not only to steal all the logs of already completed chats, but also to interfere with still active chat sessions.
Researchers say that with the help of a bug, an attacker can embed his own messages into active chats, edit them, and also carry out DoS attacks that cause chat sessions to end abnormally. According to Alert Logic, administrators who for some reason cannot install a plugin update can temporarily fix the problem by configuring WAF filters.
Interestingly, last month, Sucuri discovered in WP Live Chat Support, another dangerous issue is an XSS bug that allowed automated attacks on vulnerable sites and inject malicious code without authentication. This vulnerability was quickly exploited by criminals. For example, according to ZScaler ThreatLabZ, attackers injected malicious JavaScript into vulnerable sites, which organized forced redirects, responsible for pop-ups and fake subscriptions.
Source: xaker.ru