Authentication bypass flaw discovered in WP Live Chat Support

A critical vulnerability in a popular WordPress 'live chat' plugin creates a means for unauthorized remote attackers to steal chat logs or manipulate chat sessions.

The authentication bypass flaw – discovered by security researchers at Alert Logic – affects WordPress installs that rely on support from WP Live Chat Support version 8.0.32 or earlier.

The security bug (CVE-2019-12498) creates a means for potential attackers to gain access to the REST API functionality without valid credentials – potentially allowing miscreants to harvest chat logs as well as the ability to manipulate chat sessions.

Arbitrarily ending active chat sessions as part of a denial-of-service attack was also possible.

Alert Logic reckons the vulnerability is not being actively exploited. Even so, the scope for mischief still exists.

Fortunately, Alert Logic worked with the developers allowing for the creation of a patch, the release of which has freed security researchers to go public with their findings.

The vulnerability is best resolved by patching, but might be mitigated using a web application firewall.

WP Live Chat Support, which has been downloaded 1.5 million times, is used by more than 50,000 businesses.

Flaws in the WordPress content management system and its various plugins are legion, which some tech wags have at times described as "remote shell software with blogging extensions".

Javvad Malik, security awareness advocate at vendor KnowBe4, commented: "WordPress is frequently targeted and vulnerabilities are disclosed. Website admins should exercise caution when deciding on which plugins to install and ensure they are kept up-to-date.”

The Daily Swig has asked developers of the plugin to comment on the bug finding.