WordPress Plugin Vulnerabilities

WP Live Chat Support < 8.0.33 - Missing Permission Checks on some REST API Calls

Description

The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.

Affects Plugins

Plugin icon
wp-live-chat-support
Fixed in 8.0.33

References

CVE
CVE-2019-12498

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Jonny Milliken (Active Intelligence)
Verified
No
WPVDB ID
447c8090-d37e-406d-826c-4e1322beb727

Timeline

Publicly Published
2019-05-31 (about 6 years ago)
Added
2020-03-21 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-02-11
Title
Real Estate 7 WordPress < 3.5.2 - Unauthenticated Privilege Escalation
Published
2020-11-09
Title
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
Published
2024-04-25
Title
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Unauthenticated Privilege Escalation
Published
2025-01-31
Title
WooCommerce Customers Manager < 31.4 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2024-10-09
Title
UserPlus <= 2.0 - Unauthenticated Privilege Escalation