A security firm has pointed out some zero-day vulnerabilities in Facebook WordPress Plugins. The vulnerabilities precisely exist in plugins ‘Facebook for WooCommerce’ and ‘Messenger Customer Chat’. Both the plugins have hundreds of thousands of active installations, and thus, pose a threat to a large number of users. Since the researchers have dropped the respective PoC as well with their reports, the vulnerabilities need an urgent fix.
About ‘Plugin Vulnerabilities’ And The Facebook WordPress Plugins In Question
Researchers from the security firm ‘Plugin Vulnerabilities’ have discovered a few zero-day bugs in two Facebook WordPress plugins. Continuing their practice of disclosing WordPress plugin bugs publicly, the firm has shared details once again with the public. They have even explained in a separate blog post, that they disclose the vulnerabilities publicly for customers’ security. The requirement of having a Facebook account to report a bug to Facebook is another hindrance.
They also point out the possible negligence in reviewing WordPress plugins and question the scope of these bugs under their bug bounty program.
Since they are both vulnerabilities in the type of code that is often involved in disclosed WordPress plugin vulnerabilities, those vulnerabilities should not have been missed if security reviews of the plugins were done… So, it seems highly unlikely that Facebook got that done with the plugins. Instead… Facebook has a bug bounty program. It isn’t clear if these plugins would fall under that or what they would even pay out any bounty.
Well, we are not really delving into the debate of whether they are right or wrong in their practice. So, let us quickly review the vulnerabilities they discovered.
Specifically, the security firm found bugs in the ‘Facebook for WooCommerce’ plugin and ‘Messenger Customer Chat’ plugin. The former plugin currently has over 200,000 active installations. Whereas, the later has more than 20,000.
Proof of Concept
The following proof of concept will cause the message “Proof of Concept” to be added to the bottom of web pages, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=update_options" method="POST"> <input type="hidden" name="fbmcc_generatedCode" value="Proof of Concept"> <input type="submit" value="Submit" /> </form> </body> </html>
CSRF Zero-Day Vulnerabilities Discovered
As stated in their vulnerability report, ‘Facebook for WooCommerce’ is one of the popular plugins for WooCommerce. The plugin page shows that it remains untested for the last three releases of WordPress. Thus, it may be prone to compatibility issues with recent versions.
Out of curiosity, the researchers began analyzing the plugin and came up with a cross-site request forgery (CSRF) vulnerability. They found a lacking of a nonce to prevent CSRF with the AJAX function ajax_update_fb_option(). They have shared a proof of concept in their report.
Following this discovery, the researchers quickly analyzed another plugin and found a similar problem with ‘Messenger Customer Chat’ too. As stated in their reports, they found another CSRF vulnerability, for which they have shared the PoC as well.
Both the vulnerabilities, upon exploit, can allow a potential attacker to alter WordPress site options. While they may not be as dangerous as other web application vulnerabilities, their public disclosures demand an immediate fix to avoid potential threats to the users of the respective plugins.