Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.
The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites.
WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.
According to Sucuri, the vulnerability lies in an unprotected
admin_init hook. A hook is a way for one piece of code to interact with and change another.
WordPress calls the
admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.
The problem is that
admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called
wplc_head_basic, which updates the plugin settings without checking the user’s privileges.
This isn’t the first time that WP Live Chat has had to patch its plugin. Last year, its developers patched CVE-2018-12426, which was a bug allowing users to upload PHP scripts to the site and execute code remotely.
In April, Alert Logic found that the plugin was still vulnerable even after the patch. The developers introduced the flaw by writing their own file upload code rather than relying on WordPress’s built-in code, the researchers said.
Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.
I am not able to update the plugin anymore, which is necessary because of the vulnerability which occurred the last days.
I get the message: This plugin has been closed for new installations.
Others reported the same problem, with one complaining that the plugin was part of a WordPress theme they had bought.
We were unable to get a response from the company via several channels, but it urged people to update on Twitter last week. Its blog mentions that it recently merged the free and pro versions of the plugin and points to an installation guide.