Researchers have issued a warning for users of the WordPress Live Chat plugin. This flaw, if exploited could allow attackers to hijack the chat session to watch it or steal information. The flaw originates from the improper validation check for authentication that could potentially allow an unauthorized user to access private chats. The WordPress Live Chat plugin is stated to be used by over 50,000 businesses to provide customer support and chat with consumers through their websites. A potential attacker using this vulnerability could access and steal, modify or delete chat history, inject messages, impersonate a customer service agent or force close the chat as part of a denial of service (DoS) attack. The issue affects all Word Press users that are still using WP Live Chat Support version 8.0.32 or earlier. Researchers reported the issue to WordPress and WordPress immediately released an updated and patched version of their plugin.
Analyst Notes
Users are recommended to install the latest version of the plugin as soon as possible and to only download the patch from WordPress authorized sites.
