Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code at websites that run this plugin.
About WP Live Chat Support
WP Live Chat Support is an open source plugin for WordPress that allows users to put live chat functionality on their websites for customer service purposes. The plugin currently has more than 60,000 active installations.
Vulnerability in admin_init
According to Sucuri, the vulnerability lies with an unprotected
admin_init hook (a hook is a way for one piece of code to interact with another piece of code). WordPress calls the admin_init hook when someone visits the admin page of a WordPress site. Developers can use this hook to invoke various functions. The problem is that admin_init does not require authentication, which means that anyone who visits the admin URL can run code. The admin hook of the plugin invokes an action called
wplc_head_basic, which updates the settings of the plugin without checking the privileges of the relevant user.
Not the first time
This is not the first time WP Live Chat Support has been confronted with a vulnerability. Last year the developers released a patch for CVE-2018-12426, a bug with which PHP scripts could be uploaded remotely. In April, Alert Logic discovered that the plugin was still vulnerable despite the patch.
Updating not possible?
“Unauthorized attacks are very serious because they can be automated, making it easy for hackers to conduct successful, widespread attacks on vulnerable websites. The number of active installations, the ease of operation and the effects of a successful attack make this vulnerability particularly dangerous. “
However, a number of users report that they cannot update. On the WP Live Chat Support page on WordPress.org is the message “This plugin has been closed for new installations.”
The developers of the plugin were not available for comment, although they did urge to update the affected plugin via Twitter last week.