Critical Vulnerability in WordPress WP Live Chat – CVE-2019-12498

Cybersecurity security researchers at Alert Logic have announced warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions.

Technical Analysis

The vulnerability, identified as CVE-2019-12498, resides in the "WP Live Chat Support" that is currently being used by over dozens of thousands businesses to provide customer support and chat with visitors through their websites.

Discovered flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints. The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by unauthenticated remote attackers due to a flaw in the ‘wplc_api_permission_check()’ function.

The above series of ‘register_rest_route()’ calls define those REST API endpoints which should have access restrictions due to the nature of the functionality they expose. Each restricted endpoint shares the same ‘permission_callback’ function, namely the ‘wplc_api_permission_check()’ function which will be explored shortly.

A potential attacker could make use of all these endpoints for malicious purposes including:

• Injecting messages into an active chat session, posing as a customer support agent,
• Stealing the entire chat history for all chat sessions,
• Editing injected messages to retroactively conceal what any injected messages contained,
• Forcefully ending active chat sessions, as part of a denial of service (DoS) attack.

Remediation and Mitigation

The issue affects all WordPress websites, and also their customers, who are still using WP Live Chat Support version 8.0.32 or earlier to offer live support.

WordPress administrators are highly recommended to install the latest version of the plugin as soon as possible. You can file a support request on your AltaGrade Dashboard if you want us to perform with this update for your WordPress project.