Disgruntled security firm discloses zero-days in Facebook's WordPress plugins
Zero-days disclosed in "Facebook for WooCommerce" and "Messenger Customer Chat."
A US-based cyber-security firm has published details about two zero-days that impact two of Facebook's official WordPress plugins.
The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.
Impacted plugins
The two zero-days impact "massengercuttomer chat," a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and "facebook for WooCommerce," a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.
The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 -- with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.
Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.
The grudge
Nevertheless, despite the bad reputation, today, the security of all users who installed these extensions was put at risk because of a stupid grudge between a Denver-based company called White Fir Design LLC (dba Plugin Vulnerabilities), and the WordPress forum moderation team.
In a dispute that's been raging for years, the Plugin Vulnerabilities team decided they wouldn't follow a policy change on the WordPress.org forums that banned users from disclosing security flaws through the forums, and instead required security researchers email the WordPress team, which would then contact plugin owners.
For the past years, the Plugin Vulnerabilities team has been disclosing security flaws on the WordPress forums in spite of this rule -- and having its forum accounts banned as a result of their rule-breaking behavior.
Things escalated this past spring when the Plugin Vulnerabilities team decided to take their protest a step further.
Instead of creating topics on the WordPress.org forums to warn users about security flaws, they also started publishing blog posts on their site with in-depth details and PoC code about the vulnerabilities they were finding.
Comments