Disgruntled security firm discloses zero-days in Facebook’s WordPress plugins

Time to check all your WordPress installs…:

A US-based cyber-security firm has published details about two zero-days that impact two of Facebook’s official WordPress plugins.

The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.


The two zero-days impact “Messenger Customer Chat,” a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and “Facebook for WooCommerce,” a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.

The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 — with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.

Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.


Original Article