Last Updated:

WP Live Chat Support - Vulnerability

The developers of the WP Live Chat Support plugin, which has more than 50,000 installations, report that users should immediately upgrade the plugin to version 8.0.33 or later. The fact is that the plugin has detected a critical vulnerability that allows an attacker who does not have valid credentials to bypass the authentication mechanism.

WP Live Chat Support allows you to add free chat to your site through which employees can provide support and assistance to resource visitors.

Experts from Alert Logic found that a plugin of version 8.0.32 and below allows an unauthenticated attacker to gain access to REST API endpoints, which should not be available under normal circumstances. The vulnerability received the identifier  CVE-2019-12498 . As a result of the exploitation of the bug, an attacker can not only steal all the logs of already completed chats, but also interfere with the still active chat sessions.

The researchers say that with the help of a bug, an attacker can insert his own messages into active chats, edit them, and also carry out DoS attacks, due to which chat sessions will be urgently terminated.

According to Alert Logic, administrators who for some reason cannot install the plug-in update can temporarily fix the problem by configuring WAF filters.

Interestingly, in the past month, Sucuri's specialists discovered another dangerous problem in WP Live Chat Support - the XSS bug, which allowed automating attacks on vulnerable sites and introducing malicious code without authentication. This vulnerability quickly began to exploit the criminals. So, according to ZScaler ThreatLabZ , the attackers injected malicious JavaScript onto vulnerable sites, which organized forced redirects and was responsible for pop-up windows and fake subscriptions.