As tech giants, Facebook and WordPress are two of the biggest entities in the world. It makes sense that WordPress Webmasters would be keen to integrate Facebook with their WordPress sites as much as possible, to create a seamless experience for their users. So when cracks and security vulnerabilities start to appear in WordPress/Facebook plug-ins, people take notice.
That’s exactly what’s happening now after zero-day vulnerabilities were discovered that affected two popular Facebook related WordPress plug-ins. But as you’ll see, the problem lies not so much in the vulnerabilities themselves, but in the way in which the problems have been publicized.
Which Plug-Ins Are Affected?
Messenger Customer Chat is an official Facebook-developed WordPress theme that enables Facebook Messenger on WordPress sites to act as a customer chat interface. Given that Messenger Customer Chat is an official Facebook release, it comes as some surprise that there are only around 20,000 active installations.
Another official Facebook release, Facebook for WooCommerce is significantly more popular with around 200,000 active installations. The purpose of this WordPress plug-in is to allow WordPress Webmasters to upload WooCommerce product feeds directly to Facebook pages for the purpose of running dynamic ads and creating a pseudo-shop directly on a Facebook page.
The security vulnerabilities recognized in both of these plug-ins work in a similar way. Both flaws effectively allow hackers to alter the site options of a WordPress site and gain access to the site itself. Hackers can only do so if they are already an authenticated user of the site, but this requires little more than one additional step whereby the hacker must register an account on the website before staging their attack.
In technical terms, both plug-ins appear to be missing the core aspects that would otherwise prevent cross-site request forgery attacks – an attack that could, for example, force a target to take an unwanted action by changing their registered email address. It is also claimed that Messenger Customer Chat is missing a separate check that would otherwise limit the types of users that can gain access.
Going about It the Wrong Way
We earlier reported on a critical security event that affected WordPress sites powered by WooCommerce. In that report, we uncovered the actions of a security company going by the name of Plugin Vulnerabilities, who seek out vulnerabilities and security issues in WordPress plug-ins and publish the details directly on their blog, including full proofs of concept.
While promoting their own security services at the same time, Plugin Vulnerabilities seek to publicize their findings as far and wide as possible as a way of passive-aggressively protesting against policies put in place and strictly enforced by the WordPress support forums.
Users of the WordPress support forums are prohibited from disclosing security flaws found in WordPress plug-ins and elsewhere directly on the forums. Instead, users are required to either contact the plug-in developer directly or contact the WordPress team. Refusing to adhere to the strictly enforced rules, Plugin Vulnerabilities continued posting details of security issues on the forums, with their posts quickly found and deleted.
Now, Plugin Vulnerabilities has built up enough of a following to effectively usurp the rules and policies of the WordPress support forums and publishes security events directly on their blog. While maintaining that they do so as a way of protecting the worldwide population of WordPress Webmasters from critical security vulnerabilities, many argue that Plugin Vulnerabilities are also inadvertently putting WordPress site owners at risk.
After all, it’s not only legitimate WordPress Webmasters who are following Plugin Vulnerabilities’ blog updates but hackers too. Armed with this information, hackers have become quick to act on reported security flaws, arguably causing some of the biggest WordPress website security compromises in the past couple of years.
What to Do If You Use One of These Plug-Ins
Facebook issued a statement claiming that the “minor bug” has been fixed. Their statement went on to say that, as far as they are aware, no WordPress sites have been compromised due to the “bug”.
If you run one or both of these plug-ins – Messenger Customer Chat or Facebook for WooCommerce – you should immediately ensure that your plug-ins are updated to the latest release. Of course, it is important for all WordPress Webmasters to keep their WordPress installation, themes, and plug-ins up-to-date at all times. But when a security flaw such as this one has been recognized, it’s time to take another quick check to make sure everything is running with the latest version.
*If you run Messenger Customer Chat, Facebook for WooCommerce, or any other free WordPress plug-ins and tools and you’re worried about the security of your WordPress site, contact us today. The team at Fuel Themes are happy to chat with you about any questions or concerns you may have about the latest security risks and how they may affect your premium WordPress themes.