Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability


WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used.

A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher.

ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites).


Fig 1: Hits of the compromised WordPress sites


Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin



Fig 3: Obfuscated script injected in the compromised WordPress site


Fig 4: Deobfuscated version of the injected script

The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script.


Fig 5: Request and response to the hxxps://blackawardago[.]com

After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages.


Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.


Fig 7: Popups after execution of the malicious script

The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address.


Fig 8: Whois information of the domain


Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites.

It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise.

The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.



List of compromised sites is available here.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.