New Flaw in WordPress Live Chat Plugin Lets Hackers Steal and Hijack Sessions
Jun 11, 2019
Security researchers have been warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions. The vulnerability, identified as CVE-2019-12498, resides in the "WP Live Chat Support" that is currently being used by over 50,000 businesses to provide customer support and chat with visitors through their websites. Discovered by cybersecurity researchers at Alert Logic , the flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints. As described by researchers, a potential remote attacker can exploit exposed endpoints for malicious purposes, including: stealing the entire chat history for all chat sessions, modifying or deleting the chat history, injecting messages into an active chat session, posing as a custome