WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.

The problem was uncovered by Sucuri on April 30 and a patch was issued in version 8.0.27 on May 15 by WordPress. Even without an account on a vulnerable site, malicious actors could exploit the vulnerability via an unprotected admin_init hook, a popular attack vector.

"In this particular vulnerability, the function wplc_head_basic updates the plugin settings without using proper privilege checks. Since 'admin_init' hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option 'wplc_custom_js,'" Sucuri wrote.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.