Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Wordpress fixes plug-in vulnerability

Check Point : 05 November, 2014  (Technical Article)
A vulnerability in the LiveSupporti WordPress plug-in has been fixed after Check Point raises the issue with the CMS supplier
Wordpress fixes plug-in vulnerability

Researchers at Check Point Software Technologies recently discovered a critical vulnerability in the LiveSupporti WordPress plug-in, that would have enabled attackers to steal personal and financial data from thousands of websites and their visitors via the. After being alerted to the situation by Ckeck Point, LiveSupporti plugged the security hole.

LiveSupporti is a software service that enables website visitors to engage in a live chat with representatives (or “agents”) of the site. LiveSupporti offers a WordPress plug-in, which enables owners of WordPress blogs and sites to easily add LiveSupporti’s live chat support. Any site visitor can initiate this text-based chat with the site’s owner, operator, or other agent. The free WordPress plug-in is currently in version 1.0.0 and has been downloaded more than 26,000 times. Adding LiveSupporti to a website is just a matter of adding a snippet of code to the website’s HTML.

Check Point security researchers have often taken the lead in identifying and ‘cracking the code’ on emerging security threats, such as the recent DirCrypt Ransomware exploit.

In this case, Check Point researchers discovered a significant Persistent Cross Site Scripting vulnerability in the LiveSupporti website chat history service. The vulnerability could have allowed an attacker to send a site agent a crafted string via text chat, which upon accessing the site’s chat history could be executed. This may have resulted in account hijacking by changing the account details or by other Man-in-the-Browser (MitB) attack methods, such as loading Browser Exploitation Framework (BeEF) testing tools.

By taking control of a WordPress LiveSupporti admin account, an attacker could have stolen personal and financial data from a website’s owner or operator. Thousands of websites around the globe would have been affected.

Check Point reported the security hole to LiveSupporti. LiveSupporti and WordPress confirmed the vulnerability and fixed it (CVE-2014-6063).

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo