Recently, security researchers disclose two zero-day vulnerabilities impacting two Facebook WordPress plugins. Read on to know more about this security vulnerabilities…
Recently, security researchers disclose two zero-day vulnerabilities impacting two Facebook WordPress plugins. A WordPress security researcher claims he has found two WordPress plugins developed by Facebook called Facebook for WooCommerce and Messenger Customer Chat. The researcher claims both have cross-site request forgery flaws. The researcher published the bugs on the Plugin Vulnerabilities website, disclosing the flaws ahead of notifying the vendor in what it says is a protest against moderators of the WordPress Support Forum.
The disclosed vulnerabilities are cross-site request forgery (CSRF) flaws that impact ‘Messenger Customer Chat’ and ‘Facebook for WooCommerce’ WordPress plugins. A cross-site request forgery is a type of attack that exploits the HTTP protocol. For example, a target can be forced to execute unwanted actions (changing their email, transferring funds, etc.) when opening a web-based application allowing the forger to manipulate the process to their own advantage.
According to the security firm, Plugin Vulnerabilities — when it comes to Messenger Customer Chat, “due to the sanitization, what this vulnerability could lead to is limited to disabling the functionality of the plugin or placing a message on the website’s pages, as the value of the option is placed at the bottom of frontend pages,”
According to security firm, Facebook for WooCommerce also was found to be missing a nonce needed to prevent CSRF conditions. According to Facebook for WooCommerce’s page on the plugin repository guide, the plugin also hasn’t been tested with the latest three major releases of WordPress.
These vulnerabilities could allow authenticated users to alter WordPress site options. According to the security firm, both plugins, developed by Facebook, are widely used.
The ‘Messenger Customer Chat’ plugin that shows a custom Messenger chat window on WordPress sites has been installed by over 20,000 websites. The ‘Facebook for WooCommerce’ plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages has been installed by over 200,000 users.
These vulnerabilities could allow authenticated users to alter WordPress website options.
The security firm, White Fir Design LLC aka Plugin Vulnerabilities, also published the Proof-of-Concept code allowing attackers to create exploits and target the sites using the two plugins. The WordPress.org forums banned security researchers from disclosing vulnerabilities through the forums and instead asked them to email the WordPress team about the vulnerability.
However, the Plugin Vulnerabilities team decided to not follow the policy change and continued to disclose security flaws on the WordPress forums, this resulted in its forum accounts being banned.
Now, the Plugin Vulnerabilities team has gone a step further by publishing in-depth details and PoC code about the vulnerabilities on their blogs.