A cybersecurity firm has published the details about two zero-days impacting two Facebook WordPress plugins.
What are the vulnerabilities?
The disclosed vulnerabilities are cross-site request forgery (CSRF) flaws that impact ‘Messenger Customer Chat’ and ‘Facebook for WooCommerce’ WordPress plugins.
These vulnerabilities could allow authenticated users to alter WordPress site options.
The security firm, White Fir Design LLC aka Plugin Vulnerabilities, also published the Proof-of-Concept code allowing attackers to create exploits and target the sites using the two plugins.
The WordPress.org forums banned security researchers from disclosing vulnerabilities through the forums and instead asked them to email the WordPress team about the vulnerability.
However, the Plugin Vulnerabilities team decided to not follow the policy change and continued to disclose security flaws on the WordPress forums, this resulted in its forum accounts being banned.
Now, the Plugin Vulnerabilities team has gone a step further by publishing in-depth details and PoC code about the vulnerabilities on their blogs.