CVE-2019-9913 in wp-live-chat-support Plugin
Summary
by MITRE
The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2020
The wp-live-chat-support plugin vulnerability CVE-2019-9913 represents a cross-site scripting flaw that specifically targets the WordPress content management system environment. This vulnerability exists within the plugin's administrative interface, particularly affecting the GDPR settings page where user input is not properly sanitized before being rendered back to the browser. The issue manifests when an attacker can inject malicious script code through the term parameter in the admin.php URL, which is then executed in the context of other users' browsers who visit the affected administrative page.
The technical exploitation of this vulnerability falls under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding. The vulnerability specifically affects the wp-admin/admin.php?page=wplivechat-menu-gdpr-page endpoint, where the term parameter is processed without adequate sanitization or escaping mechanisms. This allows attackers to inject malicious JavaScript code that can execute in the browser context of authenticated administrators or users with sufficient privileges to access the plugin's administrative settings.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to escalate privileges, steal session cookies, perform unauthorized administrative actions, or redirect users to malicious websites. Since the vulnerability affects the WordPress administrative interface, successful exploitation could allow an attacker to gain full control over the affected WordPress installation, potentially leading to data breaches, website defacement, or further compromise of the underlying server infrastructure. The vulnerability is particularly concerning because it targets the GDPR compliance settings page, which suggests that attackers could manipulate sensitive privacy configuration data.
Mitigation strategies for this vulnerability should include immediate patching of the wp-live-chat-support plugin to version 8.0.18 or later, which contains the necessary input validation and output escaping fixes. Organizations should also implement additional security measures such as regular security audits of installed WordPress plugins, monitoring for unauthorized administrative access attempts, and implementing web application firewalls to detect and block malicious script injection attempts. The ATT&CK framework categorizes this type of vulnerability under T1059.007 for scripting languages and T1548.002 for abuse of group policy modification, highlighting the need for comprehensive defensive measures. Security professionals should also consider implementing content security policies to prevent unauthorized script execution and maintain regular vulnerability assessments to identify similar issues in other WordPress plugins and themes.