Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.
The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites.
WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.
According to Sucuri, the vulnerability lies in an unprotected admin_init
hook. A hook is a way for one piece of code to interact with and change another.
WordPress calls the admin_init
hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.
The problem is that admin_init
doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic
, which updates the plugin settings without checking the user’s privileges.
An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js
. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.
This isn’t the first time that WP Live Chat has had to patch its plugin. Last year, its developers patched CVE-2018-12426, which was a bug allowing users to upload PHP scripts to the site and execute code remotely.
In April, Alert Logic found that the plugin was still vulnerable even after the patch. The developers introduced the flaw by writing their own file upload code rather than relying on WordPress’s built-in code, the researchers said.
WP Live Chat support fixed the JavaScript insertion bug in version 8.0.27 and the file upload bug in 8.0.29, released on 15 May 2019. Website owners should patch now, Sucuri says:
Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.
However, some users complained that they were unable to update. WP Live Chat’s page in the WordPress plugin directory says it is closed to new installations. In its support forum, user Tiiunder said:
I am not able to update the plugin anymore, which is necessary because of the vulnerability which occurred the last days.
I get the message: This plugin has been closed for new installations.
Others reported the same problem, with one complaining that the plugin was part of a WordPress theme they had bought.
We were unable to get a response from the company via several channels, but it urged people to update on Twitter last week. Its blog mentions that it recently merged the free and pro versions of the plugin and points to an installation guide.
Prasad
It should be May 15 2019 and not may 15 2017.
Paul Ducklin
Fixed, thanks.
Terrel Brinkley
This really sucks for honest business owners looking to is WordPress. It also carries on that unsecure stigma that WordPress has had for years. What a shame.