Installed on over 60,000 websites, the WordPress Live Chat plugin is presented as a free alternative for chat functionality to engage customers.
Risks of automated attacks
Sucuri's researchers have uncovered vulnerabilities in plugin versions prior to 8.0.27, susceptible to Cross-Site Scripting (XSS) , and can be exploited remotely by attackers without accounts on the affected website.
Without authentication on the target website, attackers can automate their attacks on a large number of victims. Coupled with the plugin's popularity and low exploitation effort, this may lead to automated attacks.
The XSS vulnerability is assessed as quite severe. This loophole allows attackers to inject malicious code (like WannaCry, for instance) into websites or web applications, compromising visitor accounts or adding these malicious codes to modified page content.
XSS can persist in a 'persistent' manner if the malicious code is added to a server-stored section, such as user comments. When users load a page infected with the code, the browser's rendering engine executes the attacker's instructions.
Exploiting the vulnerability may arise from the unprotected 'admin_init hook'—a common attack vector for popular WordPress plugins, according to Sucuri's security researchers.
Researchers also noted the underutilization of the 'wplc_head_basic ' function for conducting proper privilege checks to update WordPress plugin settings.
Following that, a function runs to check more crucial permissions, as illustrated below:
'Since admin_init can be invoked by accessing /wp-admin/admin-post.php or /wp-admin/admin-ajax.php , unauthorized attackers could use these endpoints to arbitrarily update wplc_custom_js options.'
The content of the option is visible on every live chat-supported page, making it a target for potential attackers to inject JavaScript across multiple pages.
Sucuri reported this issue to the plugin developers on April 30th, and the patched version was released last Wednesday.
WordPress stands out as the premier website creation tool today. Users opt for designing and creating blogs with WordPress because, even without coding knowledge, they can still achieve it. To begin, you need to install WordPress on your computer; refer to how to install WordPress here.