Scroll Top

Another vulnerability found in WP Live Chat Support plugin

May 24, 2019

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code at websites that run this plugin.

About WP Live Chat Support

WP Live Chat Support is an open source plugin for WordPress that allows users to put live chat functionality on their websites for customer service purposes. The plugin currently has more than 60,000 active installations.

 

Vulnerability in admin_init

According to Sucuri, the vulnerability lies with an unprotected admin_init hook (a hook is a way for one piece of code to interact with another piece of code). WordPress calls the admin_init hook when someone visits the admin page of a WordPress site. Developers can use this hook to invoke various functions. The problem is that admin_init does not require authentication, which means that anyone who visits the admin URL can run code. The admin hook of the plugin invokes an action called wplc_head_basic, which updates the settings of the plugin without checking the privileges of the relevant user.

A hacker could use this plugin to update a JavaScript option called wplc_custom_js. This determines the content that the plugin displays when the live chat support window appears. For example, malicious JavaScript code can be placed on multiple pages.

 

Not the first time

This is not the first time WP Live Chat Support has been confronted with a vulnerability. Last year the developers released a patch for CVE-2018-12426, a bug with which PHP scripts could be uploaded remotely. In April, Alert Logic discovered that the plugin was still vulnerable despite the patch.

 

Updating not possible?

WP Live Chat Support has fixed the JavaScript insertion bug with version 8.0.27, and the file upload bug in version 8.0.29 (rolled out on May 15, 2019). Sucuri advises users of the plugin to immediately update:

ā€œUnauthorized attacks are very serious because they can be automated, making it easy for hackers to conduct successful, widespread attacks on vulnerable websites. The number of active installations, the ease of operation and the effects of a successful attack make this vulnerability particularly dangerous. “

However, a number of users report that they cannot update. On the WP Live Chat Support page on WordPress.org is the message “This plugin has been closed for new installations.”

The developers of the plugin were not available for comment, although they did urge to update the affected plugin via Twitter last week.

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

vulnerability uncovered in aapanel hosting control panel

aaPanel is a free and Open source Hosting Control Panel for RHEL and Debian based systems. It is the Internationalized version for the BAOTA panel(www.bt.cn), developed in China. It allows users to manage their web server through a web-based GUI (Graphical User Interface). Join Our Online Security and Hosting…

28 Jun 2020
Exploit discovered

Due to an exploit discovered in our billing and support system, our system was taken offline temporarily. This was done to ensure client data safety. The exploit was patched a short time afterwards, however we have decided to keep the billing portal temporarily offline until validity of this patch…

02 Oct 2013
Drupal security vulnerabilities discovered SA-CORE-2017-003

  Multiple vulnerabilities for the Drupal CMS have been discovered. Drupal have released versions 8.3.4 and 7.56 which contain fixes for these security vulnerabilities. We recommend that you update Drupal as soon as possible. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news,…

24 Jun 2017
Exploit WordPress Arigato Autoresponder and Newsletter v2.5.1.8

TheĀ Arigato Autoresponder and Newsletter by Kiboko Labs plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. Join Our Online Security and Hosting Newsletter…

28 Dec 2018
Joomla 3.7.1 Security and bugfix release

Joomla! 3.7.1 is now available. This is a security release for the 3.x series of Joomla! which addresses one critical security vulnerability and several bug fixes. The security issue was found to be the result of inadequate filtering of requested data that lead to a SQL Injection vulnerability. We…

17 May 2017
Xen Security Advisories (XSA-182 & XSA-183)

An update for Xen was just released to address two major security vulnerabilities and it is recommended that you update as soon as possible. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more. Subscribe Email I agree to…

25 Jul 2016
Injection vulnerability In WP Database Backup Plugin

Researchers of the Threat Intelligence team of WordFence have warned on Tuesday that WordPress plugin WP Database Backup contains a critical vulnerability. The developer has since patched this flaw. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

02 Jun 2019
New VMware bug exploited to breach networks

A vulnerability that VMware patched recently in some of its products, is currently being exploited and Russian threat actors are leveraging this vulnerability to install malware on corporate systems and access protected data, the National Security Agency (NSA) warned on Monday. Join Our Online Security and Hosting Newsletter Today…

08 Dec 2020
cPanel Security Update

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from…

17 Jan 2016
Another WordPress commercial plugin gets exploited

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…

17 Feb 2019
New SGAxe and CrossTalk Side-Channel Attacks uncovered for Intel processors

Over the past two years, processors, in particular processors made by Intel, have been targeted by an unending series of attacks that have made it possible for skilled attackers to intercept passwords, encryption keys, and other secrets out of data stored in resident memory. Join Our Online Security and…

13 Jun 2020
WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and…

11 Apr 2014
WordPress Users Urged to Delete Total Donations Plugin

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

30 Jan 2019
Bash Security Update(s) Issued

We have been made aware of a serious security vulnerability in Bash that affects multiple operating systems and applications. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more. Subscribe Email I agree to the Privacy Policy and would…

25 Sep 2014
OpenSSL (RHEL) Security Update Issued

An update for OpenSSL on RHEL was just released to help address the Poodle OpenSSL security vulnerability and it is recommended that you update as soon as possible. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade…

17 Oct 2014

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy