Disgruntled security firm discloses zero-days in Facebook's WordPress plugins

wordpress.jpg

A US-based cyber-security firm has published details about two zero-days that impact two of Facebook’s official WordPress plugins.

The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.

Impacted plugins

The two zero-days impact “Messenger Customer Chat,” a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and “Facebook for WooCommerce,” a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.

The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 — with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.

Coinbase 2

Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.

The grudge

Nevertheless, despite the bad reputation, today, the security of all users who installed these extensions was put at risk because of a stupid grudge between a Denver-based company called White Fir Design LLC (dba Plugin Vulnerabilities), and the WordPress forum moderation team.

In a dispute that’s been raging for years, the Plugin Vulnerabilities team decided they wouldn’t follow a policy change on the WordPress.org forums that banned users from disclosing security flaws through the forums, and instead required security researchers email the WordPress team, which would then contact plugin owners.

For the past years, the Plugin Vulnerabilities team has been disclosing security flaws on the WordPress forums in spite of this rule — and having its forum accounts banned as a result of their rule-breaking behavior.

Things escalated this past spring when the Plugin Vulnerabilities team decided to take their protest a step further.

Instead of creating topics on the WordPress.org forums to warn users about security flaws, they also started publishing blog posts on their site with in-depth details and PoC code about the vulnerabilities they were finding.

They disclosed security flaws this way for WordPress plugins such as Easy WP SMTP, Yuzo Related Posts, Social Warfare, Yellow Pencil Plugin, and WooCommerce Checkout Manager

Hackers quickly caught on, and many of the details the Plugin Vulnerabilities published on their site were integrated into active malware campaigns, some of which led to the compromise of some pretty big websites, along the way.

Not that dangerous — but still zero-days

Today, the Plugin Vulnerabilities team has continued their spree of dropping zero-days instead of working with plugin authors to fix the vulnerabilities.

They published details about two cross-site request forgery (CSRF) flaws that impact the two aforementioned Facebook WordPress plugins.

The two flaws allow authenticated users to alter WordPress site options. The vulnerabilities aren’t as dangerous as the ones revealed earlier this year, as they require a little bit of social engineering where a registered user clicks on a malicious link, or an attacker manages to register an account on a website they want to attack. They might be harder to exploit, but they do allow attackers to take over sites.

Nonetheless, just like before, the Plugin Vulnerabilities team completely ignored proper cyber-security etiquette and published details on their blog instead of contacting Facebook in private to have the bugs resolved.

A message was posted on the WordPress.org forums but was deleted according to the site’s policy.

In an explainer the company posted on its blog, Plugin Vulnerabilities tried to justify its course of action by claiming Facebook’s bug bounty program isn’t clear if the company’s WordPress plugins are eligible for rewards, and tried to pin the blame on the social network for limiting access to the program only for users with a Facebook account.

Their excuses are flimsy, to say the least, as their record of past disclosures shows they aren’t really trying that hard to notify developers, and are merely making a spectacle on the WordPress forums about their ability to find vulnerabilities as part of some misguided marketing stunt for a commercial WordPress security plugin they are managing.

For obvious reasons, the Plugin Vulnerabilities team is not very well liked in the WordPress community right now.

More vulnerability reports:

Disgruntled security firm discloses zero-days in Facebook's WordPress plugins 1
blank
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

blank

E-Crypto News Executive Interviews


blank

bitcoin
Bitcoin (BTC) $ 39,225.00
ethereum
Ethereum (ETH) $ 2,360.72
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 319.14
cardano
Cardano (ADA) $ 1.34
xrp
XRP (XRP) $ 0.662810
dogecoin
Dogecoin (DOGE) $ 0.223008
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 14.85
binance-usd
Binance USD (BUSD) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 39,225.00
ethereumEthereum (ETH)
$ 2,360.72
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 505.48
litecoinLitecoin (LTC)
$ 137.90
bitcoinBitcoin (BTC)
33.322,58
ethereumEthereum (ETH)
2.005,49
tetherTether (USDT)
0,849524
bitcoin-cashBitcoin Cash (BCH)
429,42
litecoinLitecoin (LTC)
117,15
bitcoinBitcoin (BTC)
28,530.38
ethereumEthereum (ETH)
1,717.07
tetherTether (USDT)
0.727352
bitcoin-cashBitcoin Cash (BCH)
367.66
litecoinLitecoin (LTC)
100.30

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
blank
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020
Mining City insists that it is legit
Mining City Refutes Claims By Philippines SEC Of Being A Scam
September 23, 2020

Blockchain/Cryptocurrency Questions and Answers

Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021
blank
What Is Plethori Platform And How Does It Work?
June 12, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin39,774 1.56 % 15.33 % 24.61 %
Ethereum2,376.8 0.51 % 9.90 % 24.72 %
Tether1.000 0.05 % 0.03 % 0.23 %
Binance Coin322.16 1.09 % 7.80 % 5.88 %
Cardano1.350 0.57 % 11.78 % 13.65 %
XRP0.6649 0.31 % 10.91 % 12.73 %
Dogecoin0.2244 0.52 % 13.77 % 21.76 %
USD Coin1.010 0.35 % 0.39 % 0.00 %
Polkadot14.97 1.63 % 10.78 % 17.20 %
Binance USD1.010 0.50 % 0.89 % 0.54 %

bitcoin
Bitcoin (BTC) $ 36,666.00
ethereum
Ethereum (ETH) $ 2,158.16
tether
Tether (USDT) $ 0.998365
binance-coin
Binance Coin (BNB) $ 299.18
cardano
Cardano (ADA) $ 1.22
xrp
XRP (XRP) $ 0.613373
usd-coin
USD Coin (USDC) $ 0.997299
dogecoin
Dogecoin (DOGE) $ 0.198524
polkadot
Polkadot (DOT) $ 13.46
binance-usd
Binance USD (BUSD) $ 0.992712