Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites. 

WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another. 

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the user’s privileges. 

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.