CVE-2019-12498: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2019-12498) affects the WP Live Chat Support plugin versions before 8.0.33 for WordPress. The security flaw allows unauthorized users to access restricted REST API endpoints due to improper validation checks for authentication, bypassing the wplc_api_permission_check protection mechanism. The vulnerability was discovered and disclosed on May 31, 2019, affecting over 50,000 WordPress websites using this plugin (Hacker News).

The vulnerability stems from an authentication bypass issue where certain REST API calls could be made without properly invoking the wplc_api_permission_check protection mechanism. This security control was designed to restrict access to sensitive API endpoints but failed to properly validate user permissions (CVE Mitre).

The vulnerability could allow unauthorized attackers to perform several malicious actions including: stealing the entire chat history for all chat sessions, modifying or deleting chat history, injecting messages into active chat sessions, impersonating customer support agents, and forcefully ending active chat sessions as part of a denial of service (DoS) attack (Hacker News).

The vulnerability was patched in version 8.0.33 of the WP Live Chat Support plugin. Website administrators were strongly advised to update to this version or later immediately. The fix was implemented by properly enforcing the wplc_api_permission_check mechanism for all REST API calls (WordPress Plugin).