WP Live Chat custom js attack

WordPress Live Chat support plugin redirect vulnerability – how to fix

A security problem in the WordPress Live Chat support plugin made it vulnerable for XSS making it possible for an attacker to add custom javascript to the configuration of the plugin. This can be done from the outside world without being logged in to the site.

The exploit has been used to infect WordPress sites with for example redirect scripts, causing the visitor to be redirected to other sites when clicking on internal links in the site. More information about the details of the exploit can be found here.

The vulnerablity in WP Live Chat support plugin has been fixed in version 8.0.29 of the plugin but just updating the plugin will not solve the problem if the site already has been infected with custom javascript code.

To solve the problem:

  • Make sure WP Live Chat support plugin is updated to version 8.0.29
  • In WP backend, go to Live Chat -> Settings -> Custom scripts and remove the unwanted code from the Custom JS box (see image)
WP Live Chat custom js attack
WP Live Chat custom js attack
Zello

How to run Zello on Mac OSX

Unfortunately there is no version of Zello available for Mac OSX but it is possible to run the Windows version using Wine.

  • Download and install XQuartz version >= 2.7.7
  • Log out and log back in on your Mac
  • Download and install “Wine stable
  • Download “Zello for PC
  • Launch Finder, go to Programs and run “Wine stable”
  • In the wine terminal window do
    cd Downloads
    wine ZelloSetup.exe
  • The Zello setup process will install Zello and launch it. The next time you want to run Zello, launch Finder, go to Programs and run “Wine stable” and enter
    wine C:\\Program\ Files\ \(x86\)\\Zello\\Zello.exe