Buzz
WP Live Chat Support plugin is currently installed on over 50,000 different websites and is designed to enable users to connect with website visitors to provide real-time support.
Security researchers at Alert Logic have just discovered that plugin versions WP Live Chat 8.0.32 and earlier are affected by a critical authentication vulnerability identified as CVE-2019-12498. This vulnerability allows unauthenticated users with restricted access to API REST endpoints.
Unpatched versions of the plugin expose REST API endpoints to remote exploitation due to a vulnerability in the 'wplc_api_permission_check()' function, revealing, leaking chat logs, and enabling manipulation of chat sessions.
'The sequence of 'register_rest_route()' calls here defines the REST API endpoints that need access restrictions due to the nature of the function they expose,' according to Alert Logic's research team.
'Each restricted endpoint shares the same 'permission_callback' function named wplc_api_permission_check() that will be exposed soon,' they added.
Potential risks of potential attacks
Exposed REST API endpoints may enable attackers to extract complete chat logs for all recorded sessions on the website, add messages to ongoing chats, modify messages, and launch Denial of Service (DoS) attacks by 'arbitrarily terminating active chat sessions'.
Alert Logic researchers also propose solutions to minimize the impact of the critical authentication vulnerability found in the WP Live Chat Support plugin for WordPress. These solutions are designed to assist administrators, unable to update to the latest plugin version, in the form of a 'virtual patch via WAF to filter traffic for WP Live Chat Support REST.'
At the same time, researchers also note that, as of now, no exploits leveraging this authentication bypass vulnerability have been detected. The plugin developers have been informed of the vulnerability and released a patch on May 29th.
Actively exploited XSS vulnerability in version 8.0.26 and earlier versions
Last month, researchers at Sucuri uncovered an exploitable cross-site scripting (XSS) vulnerability in WP Live Chat Support plugin v8.0.26.
This vulnerability allows attackers to automate attacks to cover a large number of targets without authentication, injecting malicious code into applications and websites and then compromising visitor accounts or leaking modified page content.
About 2 weeks later, researchers at ZScaler ThreatLabZ identified active exploitation of the vulnerability, injecting malicious JavaScript content triggering 'malicious redirections, unwanted pop-ups, and fraudulent subscriptions.'
There are many useful plugins on WordPress; learn how to install a Plugin in WordPress here.
Don't forget to visit Mytour every day to catch up on the latest technology news. Recently, Huawei convinces developers to bring apps to its own store outside of Google Play. This move will enable Huawei device users to download and install their favorite applications.
