Patch for 'easy to exploit' WordPress XSS vulnerability

News by Doug Olenick

WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.

WordPress has issued a patch fixing an unauthenticated persistent cross-site scripting vulnerability in its Live Chat Support, which has a reported 60,000 users.

The problem was uncovered by Sucuri on 30 April and a patch was issued in version 8.0.27 on 15 May by WordPress. Even without an account on a vulnerable site, malicious actors could exploit the vulnerability via an unprotected admin_init hook, a popular attack vector.

"In this particular vulnerability, the function wplc_head_basic updates the plugin settings without using proper privilege checks. Since ‘admin_init’ hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option ‘wplc_custom_js,'" Sucuri wrote.

Sucuri encouraged anyone using the plugin to update to the latest version of WordPress, due to the vulnerability’s ease of exploitation, the number of affected users and the potential devastating effects of a successful attack.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop