News

Vulnerability in WP Live Chat Support plugin allows stealing logs and insert messages in chats

Developers of WP Live Chat Support plugin, which has more than 50,000 installations, report that users should immediately upgrade plugin to version 8.0.33 or later.

The fact is that in plugin was detected critical vulnerability that allows an attacker who does not have valid credentials to bypass authentication mechanism.

WP Live Chat Support allows adding to the website free chat through which employees can provide support and assistance to resource visitors.

Experts from Alert Logic found that plugin versions 8.0.32 and below allow an unauthenticated attacker to gain access to REST API endpoints, which should not be available under normal circumstances. The vulnerability received the identifier CVE-2019-12498. Due to exploitation of the bug, an attacker can not only steal all the logs of already completed chats, but also interfere with still active chat sessions.

The researchers say that with the help of a bug, an attacker can insert his own messages into active chats, edit them, and carry out DoS attacks, due to which chat sessions will be urgently terminated.

“Note that we had not seen attackers attempt this specific bypass in our customer data, and do not believe that it was being actively exploited”, — report researchers.

Remediation and Mitigation from Alert Logic

The primary resolution of this vulnerability is to update the plugin to the latest version. If this cannot be achieved, then mitigation options may include:

Virtual patching using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint

Interestingly, in the past month, Sucuri’s specialists discovered another dangerous problem in WP Live Chat Support -XSS bug, which allowed automating attacks on vulnerable sites and introducing malicious code without authentication. Criminals quickly began to exploit this vulnerability.

Concluding, according to ZScaler ThreatLabZ, attackers injected malicious JavaScript on vulnerable sites, which organized forced redirects and was responsible for arrival of pop-up windows and fake subscriptions.

Source: https://blog.alertlogic.com

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-xbuhoxu.store Pop-up Ads

About News-xbuhoxu.store News-xbuhoxu.store pop-ups can not open out of nowhere. If you have actually clicked…

4 hours ago

Remove News-xbadeyo.today Pop-up Ads

About News-xbadeyo.today News-xbadeyo.today pop-ups can not introduce out of nowhere. If you have clicked on…

4 hours ago

Remove News-bbutohu.info Pop-up Ads

About News-bbutohu.info News-bbutohu.info pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove News-bbucoxe.today Pop-up Ads

About News-bbucoxe.today News-bbucoxe.today pop-ups can not launch out of the blue. If you have clicked…

5 hours ago

Remove News-xdetake.cc Pop-up Ads

About News-xdetake.cc News-xdetake.cc pop-ups can not expose out of nowhere. If you have clicked on…

8 hours ago

Remove News-bbufiya.today Pop-up Ads

About News-bbufiya.today News-bbufiya.today pop-ups can not expose out of nowhere. If you have clicked some…

8 hours ago