News

Researchers have found two 0-day vulnerabilities in Facebook plugins for WordPress and endangered hundreds of thousands of sites

Security experts found two 0-day vulnerabilities in official Facebook plugins for popular CMS WordPress. Moreover, researchers decided to publish technical details before the release of corresponding patches.

Published by Plugin Vulnerabilities experts, the PoC-code is quite useful for cybercriminals to create exploits and launch attacks on vulnerable sites.

Two flaws are present in Messenger Customer Chat and Facebook for WooCommerce plugins. The first allows setting up a Messenger chat window on a site, while second allows WordPress site owners to upload their WooCommerce stores to Facebook pages.

Messenger Customer Chat installed more than 20,000 web resources, Facebook for WooCommerce turned out to be much more popular, with 200,000 installations.

Security issues discovered by researchers represent the possibility of a “cross-site request forgery” (CSRF). Using these vulnerabilities, an authenticated user can change the site settings on the WordPress engine.

Operation can take place under two scenarios:

  • Attacker needs to use social engineering and force the registered user to click on the malicious link.
  • Attacker himself needs to create an account on the vulnerable resource in order to carry out malicious actions from within.

Despite the lack of corrections, the American company White Fir Design (database administrator for the Plugin Vulnerabilities service) published details about vulnerabilities in two official plugins for WordPress from Facebook. The reason why researchers have put hundreds of thousands of sites at risk is to annoy the WordPress moderators.

Read also: Analysts found vulnerabilities in WordPress plugin that means security threat for nearly 800 000 websites

After several years of controversy, Plugin Vulnerabilities decided that it would not follow the rules of WordPress.org forums, obliging users to report vulnerabilities in plugins not via forums, but via email. In recent years, the Plugin Vulnerabilities team stubbornly violated these requirements, and as a result, were blocked their forum accounts.

Outraged researchers decided to “take revenge” on WordPress.org and instead of reporting their findings to the developers of problematic plugins, they began to publish details about the vulnerabilities in their blog, accompanying them with PoC-exploits. Thus, they described in detail vulnerabilities in Easy WP SMTP, Yuzo Related Posts, Social Warfare, Yellow Pencil Plugin and WooCommerce Checkout Manager, to which cybercriminals were delighted, who immediately added vulnerabilities to their active campaigns.

Source: For ethical reasons, we will not publish link to these vulnerabilities.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

23 hours ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

23 hours ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

23 hours ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

23 hours ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

23 hours ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

23 hours ago