Hackers actively exploit WordPress plugin flaw to send visitors to bad sites

Dan Goodin

from Ars Technica - All content on 2019-05-29 23:05 (#4G4GY)

Enlarge / A redirection from a site still running a vulnerable version of the plugin.

Hackers have been actively exploiting a recently patched vulnerability in some websites that causes the sites to redirect to malicious sites or display misleading popups, security researchers warned on Wednesday.

The vulnerability was fixed two weeks ago in WP Live Chat Support, a plugin for the WordPress content management system that has 50,000 active installations. The persistent cross-site scripting vulnerability allows attackers to inject malicious JavaScript into sites that use the plugin, which provides an interface for visitors to have live chats with site representatives.

Researchers from security firm Zscaler's ThreatLabZ say attackers are exploiting the vulnerability to cause sites using unpatched versions of WP Live Chat Support to redirect to malicious sites or to display unwanted popups. While the attacks aren't widespread, there have been enough of them to raise concern.

Read 3 remaining paragraphs | Comments

index?i=EuUUOnfkSl4:jVaaOv3vz_k:V_sGLiPB

index?i=EuUUOnfkSl4:jVaaOv3vz_k:F7zBnMyn

Source	RSS or Atom Feed
Feed Location	http://feeds.arstechnica.com/arstechnica/index
Feed Title	Ars Technica - All content
Feed Link	https://arstechnica.com/