WordPress patches XSS vulnerability in WP Live Chat Support

WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.

The problem was uncovered by Sucuri on April 30 and a patch was issued in version 8.0.27 on May 15 by WordPress. Even without an account on a vulnerable site, malicious actors could exploit the vulnerability via an unprotected admin_init hook, a popular attack vector.

"In this particular vulnerability, the function wplc_head_basic updates the plugin settings without using proper privilege checks. Since 'admin_init' hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option 'wplc_custom_js,'" Sucuri wrote.

Sucuri encouraged anyone using the plugin to update to the latest version of WordPress, due to the vulnerability's ease of exploitation, the number of affected users and the potential devastating effects of a successful attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.