WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.
The problem was uncovered by Sucuri on April 30 and a patch was issued in version 8.0.27 on May 15 by WordPress. Even without an account on a vulnerable site, malicious actors could exploit the vulnerability via an unprotected admin_init hook, a popular attack vector.
"In this particular vulnerability, the function wplc_head_basic updates the plugin settings without using proper privilege checks. Since 'admin_init' hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option 'wplc_custom_js,'" Sucuri wrote.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.