Facebook WordPress plug-ins found to have zero-day flaw

Zero-day flaws could allow an attacker to take over a WordPress site

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Zero-day flaws which impact two of Facebook’s officialWordPress pluginshave been disclosed by a US-based cybersecurity firm including proof-of-concept (PoC) code that could be used by hackers to exploit the flaws and launch attacks against WordPress sites.

The affected plugins include Messenger Customer Chat which shows a custom Messenger chat window on WordPress sites and Facebook for WooCommerce that allows WordPress site owners to upload theirWooCommerce-based stores on their Facebook pages.

The Messenger Customer Chat plugin is installed on over 20,000 sites while the Facebook for WooCommerce plugin has 200,000 users after the WordPress team began shipping the plugin as part of the official WooCommerce online store plugin back in April.

Since that time, the plugin has received a rating of 1.5 stars with reviewers complaining about errors and a lack of updates.

Plugin Vulnerabilities vs WordPress

The flaws in these two plugins became much more dangerous when the cybersecurity firmPlugin Vulnerabilitiesdecided to publicly expose them on the WordPress.org forums.

The firm and WordPress have been feuding for years after a policy change banned users from disclosing security flaws through its forums and instead required security researchers to email the WordPress team who would then contact the owners of any affected plugins.

However, Plugin Vulnerabilities has continued to disclose security flaws on the WordPress forums despite the new rule which resulted in it having its forum accounts banned. The firm took things a step further this spring when it also began to publishblog postson its site with in-depth details and PoC code about the vulnerabilities it had discovered.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The two zero-day flaws Plugin Vulnerabilities discovered in Facebook’s WordPress plugins aren’t as dangerous as those it has revealed in the past as they require social engineering to get a user to click on a malicious link. Although the flaws are harder to exploit, they could allow attackers to take over WordPress sites.

Security researchers are generally doing a company a favor when they discover vulnerabilities but by not going through the proper channels to report the vulnerabilities it discovered, the US cybersecurity firm put everyone who has those plugins installed at risk.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Scammers are using fake copyright infringement claims to hack businesses

HPE reveals critical security bug affecting networking access points

From Dishonored to Mafia: Definitive Edition, some of my favorite games are free right now for Amazon Prime members