Critical flaw in WordPress live chat discovered

News
By last updated

Vulnerability allows hackers to inject text and steal chat logs

Image credit: Pixabay (Image credit: Image Credit: StockSnap / Pixabay)

Security researchers have discovered a critical flaw in WordPress Live Chat Support which can be exploited by an attacker without the need for valid credentials.

Over 50,000 websites have installed the WordPress plugin designed to provide websites with a free way to offer live chat support to their visitors.

Alert Logic first discovered the critical authentication bypass vulnerability present in version 8.0.32 while investigating a set of other vulnerabilities in the WP Live Chat plugin for WordPress. The new vulnerability allows unauthenticated users to access restricted REST API endpoints as a result of critical authentication bypass flaw CVE-2019-12498.

In a blog post detailing the vulnerability, Alert Logic's researchers explained why the REST API endpoints are vulnerable to attack, saying:

“The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by unauthenticated remote attackers due to a flaw in the ‘wplc_api_permission_check()’ function.” 

Live chat vulnerability

As the REST API endpoints are exposed as a result of the flaw, potential attackers could extract full chat logs for all chat sessions logged on a website, inject text into ongoing chat sessions, edit injected messages and launch denial of service (DoS) attacks by “arbitrarily ending active chat sessions”.

For admins that are unable to update the plugin immediately to mitigate the issue, Alert Logic has a fix in the form of “virtual patching using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint”.

According to the company, no attackers have yet attempted to exploit the authentication bypass issue so far and the developer of the plugin issued a patch for the vulnerability three days after it was initially disclosed at the end of May.

If you or your company's website uses the WP Live Chat Support plugin, it is highly recommended that you update the plugin to version 8.0.33 or later to prevent your site from falling victim to an attack.

Via Bleeping Computer

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Website Building
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Weebly vs Wix: Which offers a better free plan?
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Wix Business Launcher vs GoDaddy Airo: Which is better for small businesses?
Wix AI vs Squarespace Blueprint: Who has the better AI?
Wix AI vs Squarespace Blueprint: Which website builder has better AI?
Hostinger logo
Grab an impressive 15% off your Hostinger website builder plan for a limited time
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'
More about website building
Hostinger Website Builder vs WordPress.com: Which is better?

Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders

Wix Business Launcher vs GoDaddy Airo: What's better for businesses?

Weebly vs Wix: Which offers a better free plan?
HeyGen

What is HeyGen? Everything we know about the AI video platform
See more latest
Most Popular
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Mac Studio on a desk
I compared Apple's Mac Studio M3 Ultra with 10 Windows workstations and I am truly shocked by what I found
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
China
Chinese hackers targeting Juniper Networks routers, so patch now
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Bolt Zeus 2c26-032 PCIe card
This GPU vendor I've never heard of claims its card is 10x faster than an Nvidia RTX 5090 at real time path tracing
Google Meet create custom backgrounds
More AI features are coming to Google Workspace
A mockup of the possible Apple M3 Ultra logo
Performance isn't the only reason you should buy Apple's M3 Ultra Mac Studio - it's reportedly one of the most power-efficient processors too
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try