WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.
The problem was uncovered by Sucuri on April 30 and a patch was issued in version 8.0.27 on May 15 by WordPress. Even without an account on a vulnerable site, malicious actors could exploit the vulnerability via an unprotected admin_init hook, a popular attack vector.
“In this particular vulnerability, the function wplc_head_basic updates the plugin settings without using proper privilege checks. Since ‘admin_init’ hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option ‘wplc_custom_js,'” Sucuri wrote.
Sucuri encouraged anyone using the plugin to update to the latest version of WordPress, due to the vulnerability’s ease of exploitation, the number of affected users and the potential devastating effects of a successful attack.