Security researchers at Alert Logic have discovered a vulnerability in the WordPress Live Chat plugin that could be exploited to steal and hijack sessions.
Experts at Alert Logic have discovered a vulnerability in the popular WordPress Live Chat plugin that could be exploited by an unauthorized remote attacker to steal chat logs or manipulate chat sessions.
The critical vulnerability, tracked as CVE-2019-12498, is a critical authentication bypass issue (CWE-287 / OWASP Top 10: A2: 2017-Broken Authentication) that affects version 8.0.32 and earlier of the plugin.
The vulnerability is caused by the improper validation check for authentication, the attacker can trigger it to access restricted REST API endpoints.
WP Live Chat Support provides customer support and chat with visitors through their WordPress websites, over 50,000 businesses currently use this plugin.
“The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by
The REST API endpoints of unpatched WP Live Chat Support installs are potentially exposed to attacks carried out by unauthenticated remote attackers due to vulnerability in the ‘wplc_api_permission_check()’ function.”
“The above series of ‘register_rest_route()’ calls define those REST API endpoints which should have access restrictions due to the nature of the functionality they expose,” continues the Alert Logic research team.
“Each restricted endpoint shares the same ‘permission_callback’ function, namely the ‘wplc_api_permission_check()’ function which will be explored shortly.”
A remote attacker can exploit exposed endpoints for several malicious purposes, including:
- stealing the entire chat history for all chat sessions,
- modifying or deleting the chat history,
- injecting messages into an active chat session, posing as a customer support agent,
- forcefully ending active chat sessions, as part of a denial of service (DoS) attack.
Below the timeline of the vulnerability:
|Initial contact with vendor||28 May 2019|
|Vulnerability disclosed to vendor||29 May 2019|
|Vendor accepts vulnerability. Begins working on patch||30 May 2019|
|Submit to NVD. CVE assigned||31 May 2019|
|New version released. Confirmed no longer vulnerable||31 May 2019|
|Responsible Disclosure embargo lifted||10 June 2019|
Fortunately, experts are not are of attacks in the wild exploiting the vulnerability.
The post Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions appeared first on Security Affairs.
The WordPress plugin Convert Plus is affected by a critical flaw that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.
The WordPress plugin Convert Plus is affected by a critical vulnerability that could be exploited by an
A vulnerability ties with the lack of filtering when processing a new user subscription via a form implemented by the Convert Plus plugin that already has more than 100,000 active installations,
Convert Plus aims at generating more subscribers and sales conversions using popups, header & footer bars, slide-in forms, sidebar widgets, in-line forms, and social buttons.
New subscribers can use a specific form that allows them to define the role they want, of course, administrator accounts are not in the list of possible options og a drop-down menu.
Experts at Defiant discovered that Convert Plus plugin includes an administrator role in a hidden field called “cp_set_user.” Experts pointed out that the value for this field could be supplied by the same HTTP request as the rest of the subscription entry, and users can modify it.
“However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user.” reads the analysis by the experts. “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.”
It could very easy for an attacker to submit a subscription form and modify the value of the “cp_set_user” by setting the “administrator” value to create a new admin user.
“This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.” continues the analysis.
“Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.”
The hack allows to create a new admin account with a randomized password, but it is not a problem because the attacker can use a classic password reset procedure to change the password too.
The vulnerability affects all versions of the Convert Plus plugin up to 3.4.2., it is essential for administrators to update their install to the version 3.4.3.
Defiant experts also published a video PoC for the exploitation of the issue.
Below the disclosure timeline of the vulnerability:
- May 24 – Vulnerability discovered. Notified developers privately.
- May 28 – Patch released by developers. Firewall rule released for Premium users.
- June 27 – Planned date for firewall rule’s release to Free users.
The post Convert Plus WordPress plugin flaw allows hackers to create Admin accounts appeared first on Security Affairs.
The post Attackers are exploiting WordPress plugin flaw to inject malicious scripts appeared first on Help Net Security.
Security researchers are monitoring a new hacking campaign aimed at Joomla and WordPress websites, attackers used .htaccess injector for malicious redirect.
Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware.
“During the process of investigating one of our incident response cases, we found an
.htaccess files are configuration files for web servers running the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features. The features include the redirect functionality, content password protection or image hot link prevention.
Sucuri spotted threat actors abusing the URL redirect function of the .htaccess file to redirect visitors of compromised websites to phishing sites, sites delivering malware, or simply to generate impressions.
At the time is not clear how attackers gain access to the Joomla and WordPress websites, we only know that they inject the malicious code onto some of the website’s index.php files.
“Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:“
“This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.” continues the report.
A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.
This .php code also searches for more files and folders, trying to search nested folders.
It’s not uncommon to see hackers targeting websites through
The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.
The side effect is that the technical choice left some developers and their projects open to attacks.
“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.” concludes Sucuri.
(SecurityAffairs – .htaccess, hacking)
The post Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects appeared first on Security Affairs.
A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it
Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.
The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.
It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.
Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.
Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.
An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.
In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:
Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.
“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option “wplc_custom_js”. “
To secure your WordPress install update the WP Live Chat Support
Below the timeline of the flaw:
- April 30, 2019: Initial contact attempt.
- May 15, 2019: Patch is live.
(SecurityAffairs – Live Chat Support, Hacking)
The post XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites appeared first on Security Affairs.