A flaw in The Official Facebook Chat Plugin made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. This WordPress plugin is currently installed on over 80,000 sites.
What is the Facebook Chat plugin
The Official WordPress Facebook Chat plugin is a very simple plugin that is used to add a “Facebook Messenger” chat pop-up to any WordPress site and connect a site owner’s chosen Facebook page to receive messages and interact with site visitors.
This vulnerability could be exploited and easily go undetected by a site owner, causing site visitors to interact with an attacker instead of the site owner. Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information.
Another possible scenario for this vulnerability to be exploited is that a competitor could use it to their advantage. By supplying nothing for the
pageid parameter, a competitor could completely disable the chat, causing a loss of availability for the chat service, potentially resulting in a loss of sales.
How WordFence explains the Facebook Chat plugin vulnerability issue below
It does most of the design work through a dialog on Facebook.com However, once finished it updates the plugin options
fbmcc_locale to set the chat’s page ID that will be connected to the pop-up on the front end of the site, and the language localization that should be used.
In order to do so, the plugin registered an AJAX action
wp_ajax_update_options hooked to the
Unfortunately, this AJAX action had no capability checks to verify that a request was coming from an authenticated administrator. This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account.
This flaw has been fully patched in version 1.6. We recommend that users immediately update to the latest version available, which is version 1.6 at the time of this publication.
How can you protect yourself as a site visitor?
Never, in any situation, divulge sensitive information, like access credentials or credit card data, to anyone unless you can truly verify the person or company is who they say they are and they have a legitimate “need to know.”
Both sites using Wordfence Premium and those still using the free version of Wordfence are protected from attacks against this vulnerability. If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical security update.
Read more about this vulnerability on the WordFence Blog
Read more of our WPChase security blogs here
Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.