Hackers Inject Scripts in WordPress Live Chat Plugin
Site administrators using WP Live Chat Support for WordPress are advised to upgrade the plug-in to the latest version to close persistent cross-site scripting (XSS) vulnerability that is exploited without any authentication.
Installed on more than 60,000 websites, the plug-in is presented as a free alternative to complete customer loyalty and chat solution.
The danger of automatic attacks
Sucuri researchers discovered that versions of the plug-in earlier than 8.0.27 are susceptible to persistent XSS issues that can be exploited remotely by a hacker who does not have an account on the affected site.
The hackers can automate their attacks and cover more victims, without having to authenticate on the target site. So going by the popularity of the plugin if you add it, and with little effort of the plugin, you are in for trouble.
Talking about XSS error, it’s quite serious issues, because it allows the hacker to place malicious code on websites or web applications, and then it compromises visitor accounts or shares them on modified pages.
XSS can be persistent if a malicious code is added to a section stored on the server, for instance, user comments. When a user loads the infected page, the malicious code is scanned by the browser and the attacker’s instructions are executed.
The details from Sucuri elucidates how exploiting this vulnerability could be due to unprotected “admin_init hook” – a common attack vector for WordPress plugins.
The researchers say that the wplc_head_basic function did not use the appropriate authorization controls to update the plug-in’s settings.
“Because the ‘admin_init’ hooks can be called by visiting /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker can use these endpoints to get the ‘wplc_custom_js ‘update arbitrarily’, “Castros details
The content of the option is included on every page that loads live chat support so that hackers who reach a vulnerable site can insert JavaScript code on multiple pages
Sucuri informed developers of the plug-in on April 30 and a corrected version was released on Wednesday.
Related Resources:
Protect Your WordPress Website from SQL Injection
Yet Another WordPress Hack Exploiting Plugin Vulnerabilities