19 Sep

Vulnerability Details: Multiple in WP Live Chat Support

This post provides the details of a vulnerability in the WordPress plugin WP Live Chat Support not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

21 May

Being Proactive About the Security of WordPress Plugins You Use Can Pay Off Big Time Down the Road

On Friday we noted that the moderators of the WordPress Support Forum were getting in the way of people trying to discuss dealing with being hacked due to a vulnerability that had been in the plugin WP Live Chat Support. Looking again yesterday showed that has continued. Here is one topic that was closed without explanation why that even happened. With another one, it was closed due to someone mentioning they were using a pro version of the plugin, that is even though the issue the person was bringing up was caused by the vulnerability being exploited, which has nothing to do with a pro version. Someone could have pointed that out to the moderator that closed it, if they hadn’t closed the topic (not surprisingly the problematic moderator there was once again Jan Dembowski).

Looking at the reviews of the plugin we noticed one from over the weekend titled “Lost a ton of business. Infected with malware.“: [Read more]

17 May

Closures of Very Popular WordPress Plugins, Week of May 17

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one is currently closed. [Read more]

17 May

WordPress Support Forum Moderator Jan Dembowski Gets in the Way of People Dealing With Hacks Due to WP Live Chat Support

On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.

As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way: [Read more]

16 May

GDPR Functionality in WordPress Plugin WP Live Chat Support Allows Anyone to Download Contents of Chats Handled Through It

Yesterday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) in the plugin WP Live Chat Support, which was also fixed yesterday. That vulnerability is likely to be exploited soon. As we started looking over things while adding the vulnerabilities to our data set yesterday, so we could warn the customers of our service if they are using an impacted versions, we found that there are multiple additional security issues caused in part the same security issue that was partially fixed (yes, even the vulnerability fixed, was only actually partially fixed). There is, for example, another setting change vulnerability, though one that doesn’t look to lead to a more serious vulnerability. What stood out more for the seriousness, but also what type of functionality the vulnerability is in, is an information disclosure vulnerability that exposes chat logs and meta data related to those chats to anyone, which occurs through General Data Protection Regulation (GDPR) functionality. So functionality related to data protection does the opposite.

The GDPR functionality already was implicated in two vulnerabilities, based on the changelog entries for previous versions of the plugin: [Read more]

02 Nov

Vulnerability Details: Reflected XSS Vulnerability in WP Live Chat Support

This post provides the details of a vulnerability in the WordPress plugin WP Live Chat Support not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

29 Jun

What Happened With WordPress Plugin Vulnerabilities in May 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet): [Read more]

01 Sep

What Happened With WordPress Plugin Vulnerabilities in August 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet): [Read more]

10 Jul

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Live Chat Support

This post provides the details of a vulnerability in the WordPress plugin WP Live Chat Support not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]