Home » News » Researchers discovered serious vulnerability in WP Live Chat Support plugin

Researchers discovered serious vulnerability in WP Live Chat Support plugin

Analysts from Sucuri company found in WP Live Chat Support-plugin dangerous bug.

Vulnerability allows to unauthorized attackers perform XSS-attack and implement malware on all pages of the website that use this extension.

“An XSS flaw is pretty serious in itself. It allows hackers to inject malicious code in websites or web apps and compromise visitors’ accounts or expose them to modified page content”, — say Sucuri specialists.

After receiving information about this disadvantage, developers fixed it with the next release of their product.

Problem linked with incorrect application of admin_init request. As discovered researchers, WP Live Chat Support creators used this hook for calling wplc_head_basic function that is responsible for update of plugin parameters. With this mechanism of users’ rights check on performing of such actions was absent in program’s code.

Sucuri specialists argue that as admin_init works through system utilities admin-post.php or admin-ajax.php, attacker should update parameter wplc_custom_js and accommodate his code there.

With this, cybercriminal can add malware script on any page of vulnerable website where installed WP Live Chat Support. For attack, hacker will not need any additional privileges and even authorization on web-resource. Attackers may act with the use of simple bots, automatically putting their code in page headings through the wplc_head_basic parameter.

Screenshot with 'wplc_head_basic' function
Screenshot with ‘wplc_head_basic’ function

Researchers informed developers about a bug on April 30, 2019, and on May 15 creators of extension released WP Live Chat Support version 8.0.27 where vulnerability was fixed. All plugin users are recommended to install patch ASAP.

According to WordPress repository, problematic extension installed on more than 60 thousand websites. As shows experience, cybercriminals trace information about bugs in extensions and try to find unpatched resources, even if developers have already released a patch.

READ  Gmail was a first mail service that launched safety standards MTA-STS and TLS Reporting support

Source: https://www.bleepingcomputer.com

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Smominru Botnet Quickly Spreads Quickly

Smominru botnet quickly spreads and hacks over 90 thousand computers every month

Cryptocurrency mining and identity theft botnet Smominru (also known as Ismo) began to spread incredibly …

TFlower ransomware uses RDP

Researchers say about growing activity of TFlower, another ransomware that uses RDP

According to Bleeping Computer, the activity of TFlower, a ransomware that uses RDP and is …

Leave a Reply