For the second time this month a patch has been issued for the WordPress add-on called WP Live Chat Support Plugin. This time around it’s a cross-site scripting (XSS) vulnerability.
The WP Live Chat Support is a popular WordPress plugin that allows users to install a pop-up “chat” plugin to their websites for customer service functions. The plugin has more than 60,000 users. On May 6, a WordPress file-upload bug was also patched in the plugin.
The cross-site scripting vulnerability was first discovered April 30, and a patch was issued this past week. This vulnerability is particularly insidious because an unauthenticated attacker could seamlessly exploit it, allowing them to inject JavaScript payloads into impacted sites, said researchers with Sucuri who discovered the flaw.
“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” said John Castro, with Sucuri in a post this week. “The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”
Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an attacker without any account in the vulnerable site. Despite that, Castro said he isn’t aware of any exploit attempts using the flaw.
The flaw exists due to a well-known attack vector in the plugin: An unprotected “admin-init” hook. In WordPress theme and development, Hooks are functions that can be applied to an WordPress Action or a Filter. Specifically, the “admin-init” is the hook that is triggered before any other hook when a user accesses the admin area.
Specifically, within the admin-init hook, the function “wplc_head_basic” updates the plugin settings without using proper privilege checks, said Castro.
That means the hook could be called merely by visiting /wp-admin/admin-post.php or /wp-admin/admin-ajax.php – meaning an unauthenticated attacker could exploit the flaw. Once an attacker calls the endpoints, they can arbitrarily update the option “wplc_custom_js.”
The content of this option is added as a complement anywhere the live chat support tool appears, allowing bad actors to inject malicious JavaScript payloads in multiple locations of a vulnerable website.
The plugin has been riddled with flaws over the past few months. Earlier in May, researchers said a patch for a previously-discovered critical arbitrary file upload flaw (CVE‐2018‐12426) –could be bypassed in a proof-of-concept attack.
Also this week, WordPress plugin Give, which allows users to setup a donation page on a website and currently has 60,000 installs, also patched a cross-site scripting flaw. The severe vulnerability allowed donors to inject arbitrary code on an administrative page.
“Due to the reflection point, the injection can only be seen by users with sufficient permissions to see the donors — this means that a malicious script could do a lot of damage while acting as these users,” said Sucuri researchers, who also discovered that flaw.
According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.Other recent vulnerabilities found in WordPress plugins, including Social Warfare, Yellow Pencil Visual Theme Customizer, and Yuzo Related Posts.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.