A critical flaw in “WP Live Chat Support” WordPress live chat plugin allows an unauthenticated attacker to steal logs and manipulate chat sessions.
“we uncovered a critical authentication bypass (CWE-287 / OWASP Top 10: A2: 2017-Broken Authentication) in version 8.0.32 and earlier. This bypass allows an attacker to gain access to the REST API functionality without valid credentials—enabling exfiltration of chat logs and the ability to manipulate chat sessions.”
The flaw allows unauthenticated users to gain access to restricted REST API endpoints.
A potential attacker could leverage this exposed endpoints for malicious purposes including:
- Extracting the entire chat history for all chat sessions
- Injecting arbitrary messages into active chat sessions and posing as an agent
- Editing injected messages to retroactively conceal what any injected messages contained
- Arbitrarily ending active chat sessions as part of a denial of service (DoS) attack
The flaw affects all WordPress websites using WP Live Chat Support version 8.0.32 and earlier.
Researchers notified the developers about the issue on 28th May and a new version addressing the flaw was released on 31st May. Admins are advised to update their plugin immediately.
Researchers also provided mitigation option for admins who cannot update their plugin immediately. The admins can Virtual patch using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint.
In the report, the researchers also noted that they did not find any attempt to exploit this authentication bypass flaw.
WP Live Chat Support is one of the popular WordPress live chat plugins with over 50,000 installations and helps websites to provide free live chat support.
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows