June 18, 2019

Facebook WordPress plug-ins found to have zero-day flaw

By Tech Online Things

Zero-day flaws which impact two of Facebook’s official WordPress plugins have been disclosed by a US-based cybersecurity firm including proof-of-concept (PoC) code that could be used by hackers to exploit the flaws and launch attacks against WordPress sites.

The affected plugins include Messenger Customer Chat which shows a custom Messenger chat window on WordPress sites and Facebook for WooCommerce that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.

The Messenger Customer Chat plugin is installed on over 20,000 sites while the Facebook for WooCommerce plugin has 200,000 users after the WordPress team began shipping the plugin as part of the official WooCommerce online store plugin back in April.

Since that time, the plugin has received a rating of 1.5 stars with reviewers complaining about errors and a lack of updates.

Plugin Vulnerabilities vs WordPress

The flaws in these two plugins became much more dangerous when the cybersecurity firm Plugin Vulnerabilities decided to publicly expose them on the WordPress.org forums.

The firm and WordPress have been feuding for years after a policy change banned users from disclosing security flaws through its forums and instead required security researchers to email the WordPress team who would then contact the owners of any affected plugins.

However, Plugin Vulnerabilities has continued to disclose security flaws on the WordPress forums despite the new rule which resulted in it having its forum accounts banned. The firm took things a step further this spring when it also began to publish blog posts on its site with in-depth details and PoC code about the vulnerabilities it had discovered.

The two zero-day flaws Plugin Vulnerabilities discovered in Facebook’s WordPress plugins aren’t as dangerous as those it has revealed in the past as they require social engineering to get a user to click on a malicious link. Although the flaws are harder to exploit, they could allow attackers to take over WordPress sites.

Security researchers are generally doing a company a favor when they discover vulnerabilities but by not going through the proper channels to report the vulnerabilities it discovered, the US cybersecurity firm put everyone who has those plugins installed at risk.

Via ZDNet