Researchers disclose two zero-day vulnerabilities impacting two Facebook WordPress plugins

• The disclosed vulnerabilities are cross-site request forgery (CSRF) flaws that impact ‘Messenger Customer Chat’ and ‘Facebook for WooCommerce’ WordPress plugins.
• These vulnerabilities could allow authenticated users to alter WordPress site options.

A cybersecurity firm has published the details about two zero-days impacting two Facebook WordPress plugins.

What are the vulnerabilities?

The disclosed vulnerabilities are cross-site request forgery (CSRF) flaws that impact ‘Messenger Customer Chat’ and ‘Facebook for WooCommerce’ WordPress plugins.

• The ‘Messenger Customer Chat’ plugin that shows a custom Messenger chat window on WordPress sites has been installed by over 20,000 sites.
• The ‘Facebook for WooCommerce’ plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages has been installed by over 200,000 users.

These vulnerabilities could allow authenticated users to alter WordPress site options.

Proof-of-Concept published

The security firm, White Fir Design LLC aka Plugin Vulnerabilities, also published the Proof-of-Concept code allowing attackers to create exploits and target the sites using the two plugins.

The WordPress.org forums banned security researchers from disclosing vulnerabilities through the forums and instead asked them to email the WordPress team about the vulnerability.

However, the Plugin Vulnerabilities team decided to not follow the policy change and continued to disclose security flaws on the WordPress forums, this resulted in its forum accounts being banned.

Now, the Plugin Vulnerabilities team has gone a step further by publishing in-depth details and PoC code about the vulnerabilities on their blogs.