WordPress plugin sees second serious security bug in six weeks
The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites.
WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.
According to Sucuri, the vulnerability lies in an unprotected
admin_init hook. A hook is a way for one piece of code to interact with and change another.
WordPress calls the
admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.
The problem is that
admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called
wplc_head_basic, which updates the plugin settings without checking the user’s privileges.