This month, researchers discovered the second serious bug in a WordPress plug-in that could lead to a mass compromise of WordPress websites.
The bug in the WP Live Chat Support plug-in allows attackers to inject their own code into the websites that use it. It follows a bug discovered six weeks ago in the plug-in that allowed attackers to execute code on affected websites.
WP Live Chat Support is an open source external plug-in for WordPress that allows users to install live chat functionality on their sites for customer support. There are now more than 60,000 active installations of the software, according to the WordPress page.
According to Sucuri, the vulnerability lies in an unprotected
admin_init hook. A hook is a way in which a piece of code can communicate with and change into another code.
WordPress calls it
admin_init hook when someone visits the admin page of a WordPress site and developers can use it to call different functions at that time.
The problem is that
admin_init requires no authentication, which means that anyone visiting the admin URL can execute this code. The administrator of WP Live Chat takes a called action
wplc_head_basic, which updates the plug-in settings without checking the user rights.
This is not the first time WP Live Chat has had to patch the plug-in. Last year, developers patched CVE-2018-12426, which was a bug that allowed users to upload PHP scripts to the site and execute code remotely.
In April, Alert Logic discovered that the plug-in was still vulnerable, even after the patch. The developers introduced the error by writing their own file upload code instead of relying on WordPress' built-in code, the researchers said.
Unverified attacks are very serious because they can be automated, making it easy for hackers to launch successful, widespread attacks on vulnerable websites. The number of active installations, the ease of use and the effects of a successful attack make this vulnerability particularly dangerous.
However, some users complained that they could not update. WP Live Chat & # 39; s page in the WordPress folder plug-in says it is closed for new installations. In the support forum, user Tiiunder said:
I can no longer update the plug-in, which is necessary due to the vulnerability that has occurred in the last days.
I get the message: this plug-in is closed for new installations.
Others reported the same problem, with one complaining that the plug-in was part of a WordPress theme they had purchased.
We could not get a response from the company through different channels, but we could insisted people who updated on Twitter last week. The blog mentions that it recently merged the free and pro versions of the plug-in and refers to an installation guide.