WordPress plugin sees second serious security bug in six weeks

Researchers have uncovered the second serious in a this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own into websites running it. It follows a bug discovered in the plugin six ago that allowed attackers to execute code on websites.

WP Live Chat Support is an open source third-party plugin for WordPress that allows to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another.

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the ’s privileges.

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.

You might also like More from author

Comments are closed.