loader gif

Persistent Cross-site Scripting in WP Live Chat Support Plugin

Persistent Cross-site Scripting in WP Live Chat Support Plugin (Malware and Vulnerabilities)

Current State of the Vulnerability Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an attacker without any account in the vulnerable site. Technical Details This vulnerability can be exploited due to a well-known attack vector in the WordPress plugin world, an unprotected admin_init hook: Unprotected admin_init hook In this particular vulnerability, the function wplc_head_basic  updates the plugin settings without using proper privilege checks: Function wplc_head_basic It then executes an action hook with even more critical settings: Update as Soon as Possible Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous. To protect against this vulnerability, we strongly encourage WP Live Chat Support users to update their plugin to version 8.0.27 as soon as possible.

loader gif