Site admins using WP Live Chat Support for Wordpress are advised to update the plugin to the latest version to close a persistent cross-site scripting (XSS) vulnerability that can be abused without authentication.
The plugin is installed on over 60,000 websites and is advertised as a free alternative to a fully functional chat solution for customer engagement and conversion.
Risk of automated attacks
Researchers at Sucuri discovered that versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS, which can be exploited remotely by an attacker that does not have an account on the affected website.
Without having to authenticate on the target website, hackers can automate their attacks to cover a larger number of victims. Add to this the popularity of the plugin and the low exploitation effort and you've got a recipe for disaster.
An XSS flaw is pretty serious in itself. It allows hackers to inject malicious code in websites or web apps and compromise visitors' accounts or expose them to modified page content.
... ...