A critical vulnerability was discovered in one of the popular WordPress Live Chat plugin, which when exploited, would let unauthorized remote hackers to steal chat logs or manipulate chat sessions.
The vulnerability which has been dubbed as CVE-2019-12498, resides in the “WP Live Chat Support” which is currently used by more than 50,000 businesses to provide customer support and chat with visitors through their websites.
The flaw was discovered by cybersecurity researchers at Alert Logic and they state that the flaw originates because of an improper validation check for authentication that could permit unauthenticated users to access restricted REST API endpoints.
A potential remote attacker can exploit the exposed endpoints for malicious purposes like
- Stealing the entire chat history for all chat sessions,
- Modifying or deleting chat history,
- Injecting messages into an active chat session, acting as a customer support agent,
- Forcefully end active chat sessions, like a denial of service (DoS) attack.
This issue affects all WordPress websites as well as their customers, who still make use of the WP Live Chat Support version 8.0.32 or earlier to provide live support.
The issue has been reported to the maintainers of this affected WordPress plugin, for which an updated patched version of the plugin was released.
However, there was no evidence of any active exploitation of the flaw in the wild. But the WordPress administrators are highly recommended to install the latest version of the plugin at the earliest.