Threat Watch

Facebook WordPress Plugin Flaw

A vulnerability in a Facebook chat plugin for WordPress that allows website owners to embed a chat pop-up to communicate in real-time has been found by security researchers at Wordfence’s Threat Intelligence team. If successfully exploited, the vulnerability would allow an attacker to intercept and even alter private messages. An attacker could use this flaw to ruin the reputation of an organization through toxic interactions that could lose revenue and possibly drive business to competitors. With over 80,000 active installations, this flaw has received a 7.4 out of 10 on the CVSS scoring system. The Facebook security team has addressed the issue by releasing version 1.6 of the chat plugin but the update has only been downloaded around 25,000 times, leaving over 54,000 WordPress sites still vulnerable.

ANALYST NOTES

Organizations that use the chat plugin from Facebook are highly recommended to download and apply version 1.6 as soon as possible. Individuals who use this chat to communicate with organizations should never divulge sensitive information, such as access credentials or credit card information over any chat session, regardless of whether the site has been patched or not.

Source Article: https://www.bleepingcomputer.com/news/security/facebook-plugin-bug-lets-hackers-hijack-wordpress-sites-chat/