Critical Flaw in WP Live Chat Support WordPress Plugin allows Attackers to Steal Logs and Sessions

the latest hacking news

A critical flaw in  “WP Live Chat Support” WordPress live chat plugin allows an unauthenticated attacker to steal logs and manipulate chat sessions.

The flaw tracked as CVE-2019-12498 was discovered by security researchers at Alert Logic.

“we uncovered a critical authentication bypass (CWE-287 / OWASP Top 10: A2: 2017-Broken Authentication) in version 8.0.32 and earlier. This bypass allows an attacker to gain access to the REST API functionality without valid credentials—enabling exfiltration of chat logs and the ability to manipulate chat sessions.”

The flaw allows unauthenticated users to gain access to restricted REST API endpoints.

flaw in  WP Live Chat Support

A potential attacker could leverage this exposed endpoints for malicious purposes including:

  • Extracting the entire chat history for all chat sessions
  • Injecting arbitrary messages into active chat sessions and posing as an agent
  • Editing injected messages to retroactively conceal what any injected messages contained
  • Arbitrarily ending active chat sessions as part of a denial of service (DoS) attack

The flaw affects all WordPress websites using WP Live Chat Support version 8.0.32 and earlier.

Researchers notified the developers about the issue on 28th May and a new version addressing the flaw was released on 31st May. Admins are advised to update their plugin immediately.

Researchers also provided mitigation option for admins who cannot update their plugin immediately. The admins can Virtual patch using a WAF to filter traffic destined for the WP Live Chat Support REST endpoint.

In the report, the researchers also noted that they did not find any attempt to exploit this authentication bypass flaw.

WP Live Chat Support is one of the popular WordPress live chat plugins with over 50,000 installations and helps websites to provide free live chat support.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows


Please rate this content