A WordPress plugin vulnerability found in WP Live Chat could allow an attacker to upload arbitrary malicious files to vulnerable systems. A previously-discovered critical arbitrary file upload flaw (CVE 2018 12426) was patched in the plugin but researchers on Monday said they were able to bypass that fix in a proof-of-concept attack. The new fix stems from a glitch in the validation functions of the plugin for checking if an uploaded file is not malicious. File upload vulnerabilities used against WordPress are prevalent and easy for attackers to exploit.
Source: https://threatpost.com/wp-live-chat-wordpress-plugin-re-patches-file-upload-flaw/144420/