WordPress plug-in sees the second serious security bug in six weeks

This month, researchers discovered the second serious bug in a WordPress plug-in that could lead to a mass compromise of WordPress websites.

The bug in the WP Live Chat Support plug-in allows attackers to inject their own code into the websites that use it. It follows a bug discovered six weeks ago in the plug-in that allowed attackers to execute code on affected websites.

WP Live Chat Support is an open source external plug-in for WordPress that allows users to install live chat functionality on their sites for customer support. There are now more than 60,000 active installations of the software, according to the WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way in which a piece of code can communicate with and change into another code.

WordPress calls it admin_init hook when someone visits the admin page of a WordPress site and developers can use it to call different functions at that time.

The problem is that admin_init requires no authentication, which means that anyone visiting the admin URL can execute this code. The administrator of WP Live Chat takes a called action wplc_head_basic, which updates the plug-in settings without checking the user rights.

An unauthenticated attacker can use this error to update a JavaScript option called wplc_custom_js. This option determines the content that the plug-in displays when the live chat support window appears. An attacker could insert malicious JavaScript into multiple pages on a WordPress website, the researchers explain.