Critical flaw in WordPress live chat discovered

Image credit: Pixabay (Image credit: Image Credit: StockSnap / Pixabay)

Security researchers have discovered a critical flaw in WordPress Live Chat Support which can be exploited by an attacker without the need for valid credentials.

Over 50,000 websites have installed the WordPress plugin designed to provide websites with a free way to offer live chat support to their visitors.

Alert Logic first discovered the critical authentication bypass vulnerability present in version 8.0.32 while investigating a set of other vulnerabilities in the WP Live Chat plugin for WordPress. The new vulnerability allows unauthenticated users to access restricted REST API endpoints as a result of critical authentication bypass flaw CVE-2019-12498.

In a blog post detailing the vulnerability, Alert Logic's researchers explained why the REST API endpoints are vulnerable to attack, saying:

“The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by unauthenticated remote attackers due to a flaw in the ‘wplc_api_permission_check()’ function.” 

Live chat vulnerability

As the REST API endpoints are exposed as a result of the flaw, potential attackers could extract full chat logs for all chat sessions logged on a website, inject text into ongoing chat sessions, edit injected messages and launch denial of service (DoS) attacks by “arbitrarily ending active chat sessions”.

For admins that are unable to update the plugin immediately to mitigate the issue, Alert Logic has a fix in the form of “virtual patching using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint”.

According to the company, no attackers have yet attempted to exploit the authentication bypass issue so far and the developer of the plugin issued a patch for the vulnerability three days after it was initially disclosed at the end of May.

If you or your company's website uses the WP Live Chat Support plugin, it is highly recommended that you update the plugin to version 8.0.33 or later to prevent your site from falling victim to an attack.

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.