Researchers have found two 0-day vulnerabilities in Facebook plugins for WordPress and endangered hundreds of thousands of sites

Security experts found two 0-day vulnerabilities in official Facebook plugins for popular CMS WordPress. Moreover, researchers decided to publish technical details before the release of corresponding patches.

Published by Plugin Vulnerabilities experts, the PoC-code is quite useful for cybercriminals to create exploits and launch attacks on vulnerable sites.

Two flaws are present in Messenger Customer Chat and Facebook for WooCommerce plugins. The first allows setting up a Messenger chat window on a site, while second allows WordPress site owners to upload their WooCommerce stores to Facebook pages.

Messenger Customer Chat installed more than 20,000 web resources, Facebook for WooCommerce turned out to be much more popular, with 200,000 installations.

Security issues discovered by researchers represent the possibility of a “cross-site request forgery” (CSRF). Using these vulnerabilities, an authenticated user can change the site settings on the WordPress engine.

Operation can take place under two scenarios:

• Attacker needs to use social engineering and force the registered user to click on the malicious link.
• Attacker himself needs to create an account on the vulnerable resource in order to carry out malicious actions from within.

Despite the lack of corrections, the American company White Fir Design (database administrator for the Plugin Vulnerabilities service) published details about vulnerabilities in two official plugins for WordPress from Facebook. The reason why researchers have put hundreds of thousands of sites at risk is to annoy the WordPress moderators.

Read also: Analysts found vulnerabilities in WordPress plugin that means security threat for nearly 800 000 websites

After several years of controversy, Plugin Vulnerabilities decided that it would not follow the rules of WordPress.org forums, obliging users to report vulnerabilities in plugins not via forums, but via email. In recent years, the Plugin Vulnerabilities team stubbornly violated these requirements, and as a result, were blocked their forum accounts.

Outraged researchers decided to “take revenge” on WordPress.org and instead of reporting their findings to the developers of problematic plugins, they began to publish details about the vulnerabilities in their blog, accompanying them with PoC-exploits. Thus, they described in detail vulnerabilities in Easy WP SMTP, Yuzo Related Posts, Social Warfare, Yellow Pencil Plugin and WooCommerce Checkout Manager, to which cybercriminals were delighted, who immediately added vulnerabilities to their active campaigns.

Source: For ethical reasons, we will not publish link to these vulnerabilities.