New Flaw in WordPress Live Chat Plugin Lets Hackers Steal and Hijack Sessions
Discovered by cybersecurity researchers at , the flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints.
- stealing the entire chat history for all chat sessions,
- modifying or deleting the chat history,
- injecting messages into an active chat session, posing as a customer support agent,
- forcefully ending active chat sessions, as part of a denial of service (DoS) attack.
The issue affects all WordPress websites, and also their customers, who are still using WP Live Chat Support version 8.0.32 or earlier to offer live support.
Researchers responsibly reported the issue to the maintainers of this affected WordPress plugin, who then proactively and immediately released an updated and patched version of their plugin just last week.Though researchers haven't yet seen any active exploitation of the flaw in the wild, WordPress administrators are highly recommended to install the latest version of the plugin as soon as possible.