Security researchers have discovered a critical flaw in WordPress Live Chat Support which can be exploited by an attacker without the need for valid credentials.
Alert Logic first discovered the critical authentication bypass vulnerability present in version 8.0.32 while investigating a set of other vulnerabilities in the WP Live Chat plugin for WordPress. The new vulnerability allows unauthenticated users to access restricted REST API endpoints as a result of critical authentication bypass flaw CVE-2019-12498.
- WordPress revamped with new security features
- 7 great reasons to choose managed WordPress hosting
- It's a jungle out there: Don't leave your WordPress sites in the wild
In a blog post detailing the vulnerability, Alert Logic's researchers explained why the REST API endpoints are vulnerable to attack, saying:
“The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by unauthenticated remote attackers due to a flaw in the ‘wplc_api_permission_check()’ function.”
Live chat vulnerability
As the REST API endpoints are exposed as a result of the flaw, potential attackers could extract full chat logs for all chat sessions logged on a website, inject text into ongoing chat sessions, edit injected messages and launch denial of service (DoS) attacks by “arbitrarily ending active chat sessions”.
For admins that are unable to update the plugin immediately to mitigate the issue, Alert Logic has a fix in the form of “virtual patching using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint”.
According to the company, no attackers have yet attempted to exploit the authentication bypass issue so far and the developer of the plugin issued a patch for the vulnerability three days after it was initially disclosed at the end of May.
If you or your company's website uses the WP Live Chat Support plugin, it is highly recommended that you update the plugin to version 8.0.33 or later to prevent your site from falling victim to an attack.