New Flaw in WordPress Live Chat Plugin Lets Hackers Steal and Hijack Sessions
Security researchers have been warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions.
The vulnerability, identified as CVE-2019-12498, resides in the "WP Live Chat Support" that is currently being used by over 50,000 businesses to provide customer support and chat with visitors through their websites.
Discovered by cybersecurity researchers at Alert Logic, the flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints.
As described by researchers, a potential remote attacker can exploit exposed endpoints for malicious purposes, including:
- stealing the entire chat history for all chat sessions,
- modifying or deleting the chat history,
- injecting messages into an active chat session, posing as a customer support agent,
- forcefully ending active chat sessions, as part of a denial of service (DoS) attack.
The issue affects all WordPress websites, and also their customers, who are still using WP Live Chat Support version 8.0.32 or earlier to offer live support.
Researchers responsibly reported the issue to the maintainers of this affected WordPress plugin, who then proactively and immediately released an updated and patched version of their plugin just last week.
Though researchers haven't yet seen any active exploitation of the flaw in the wild, WordPress administrators are highly recommended to install the latest version of the plugin as soon as possible.