Authentication Bypass in WP Live Chat

Authentication

WP Live Chat for WordPress is a very popular plugin used by many companies to provide online support. Currently, it has more than 50000 active installations. Very recently, researchers from Alert Logic found an authentication bypass vulnerability in this plugin. This vulnerability may be used by an attacker to exfiltrate chat logs and manipulate chat sessions.

Anatomy of the Vulnerability

The vulnerability is caused by a mistake in the logic of a key function that checks for permissions. This function is defined in the modules/api/wplc-api-functions.php file:

function wplc_api_permission_check(){
  return is_user_logged_in() ? check_ajax_referer( 'wp_rest', '_wpnonce', false ) : true;
}

The function wplc_api_permission_check() uses two WordPress functions to check if the user is authenticated and if the user has authorization: is_user_logged_in() and check_ajax_referer(). Due to the developer’s mistake, if is_user_logged_in() returns false, the wplc_api_permission_check() function returns true and check_ajax_referer() is not executed at all.

The wplc_api_permission_check() function is used in the definition of three key REST API endpoints (in the modules/api/wplc-api-routes.php file):

register_rest_route('wp_live_chat_support/v1','/accept_chat', array(
  'methods' => 'GET, POST',
  'callback' => 'wplc_api_accept_chat',
  'permission_callback' => 'wplc_api_permission_check'
));
register_rest_route('wp_live_chat_support/v1','/end_chat', array(
  'methods' => 'GET, POST',
  'callback' => 'wplc_api_end_chat',
  'permission_callback' => 'wplc_api_permission_check'
));
register_rest_route('wp_live_chat_support/v1','/send_message', array(
  'methods' => 'GET, POST',
  'callback' => 'wplc_api_send_message',
  'permission_callback' => 'wplc_api_permission_check'
));

As defined using these three calls, endpoint access depends on the result of the wplc_api_permission_check() function. Therefore, if the user is not authenticated, access is granted, which should definitely not be the case.

This vulnerability was reported by Jonny Milliken of Alert Logic and classified as CVE-2019-12498.

How to Remediate

The wplc_api_permission_check() function was fixed in the latest release of WP Live Chat:

function wplc_api_permission_check(){
  return check_ajax_referer( 'wp_rest', '_wpnonce', false );
}

Therefore, all you need to do is update your plugin to version 8.0.34 or later if available. The upcoming release of Acunetix will also test for this vulnerability.

WP Live Chat seems to have a bad streak. This is the third vulnerability discovered in this plugin in the last couple of weeks. Others include an arbitrary file upload vulnerability and a stored XSS. If you use WP Live Chat, keep your hand on the pulse and make sure that you always update it as soon as possible.

Share this post
Tomasz NideckiTomasz Andrzej Nidecki Technical Content Writer
LinkedIn: https://mt.linkedin.com/in/tonid

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.