Attackers are exploiting WordPress plugin flaw to inject malicious scripts
Attackers are leveraging an easily exploitable bug in the popular WP Live Chat Support plugin to inject a malicious JavaScript in vulnerable sites, Zscaler warns.
The company has discovered 47 affected sites (some have been cleaned up in the meantime) but that number is unlikely to be final.
The source of the compromise
The stored cross-site script vulnerability vulnerability the attackers are exploiting was discovered by Sucuri researchers earlier this year and the plugin developers pushed out a security update fixing it on May 15.
“The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected “admin_init hook” and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears,” Zscaler researcher Prakhar Shrotriya noted.
The injected script sends a request to an attacker-owned domain to execute the main script, which triggers a redirection through multiple URLs, which show unwanted popup ads and fake error messages.
Other sources tell of other spam sites users are redirected to.
Double trouble
WP Live Chat Support is one of the most popular WordPress chat plugins, with over 50,000 active installations and, as such, has great potential for attackers.
They have been able to recently exploit another flaw in the plugin, which allowed them to upload arbitrary malicious files to vulnerable systems. Judging by the comments left by some users, the initial patches for that vulnerability were apparently not effective.
Users are advised to update the plugin to the latest offered version (8.0.32), but they may choose to disable it altogether until they get confirmation that all the patches work (I’ve asked and am waiting for the response). They are also urged to clean up their site’s code to remove the offending scripts.
“Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites,” Shrotriya pointed out and urged users to keep their installations up-to-date.
UPDATE: (MAY 30, 2019, 6:25 a.m. PT):
The developers confirmed they have recently released updates to WP Live Chat Support that have corrected both issues and advise users to upgrade to version 8.0.32 (the most recently released update).