Two Facebook WordPress plugins are affected by cross-site request forgery flaws, impacting the Messenger Customer Chat and Facebook for WooCommerce. Over 20,000 sites have installed the Messenger Customer Chat plugin, while the Facebook for WooCommerce plugin has been implemented by more than 200,000 users. If exploited, the vulnerabilities may allow perpetrators to make documented changes to WordPress site options. The security firm that discovered the vulnerabilities, White Fir Design LLC a.k.a. Plugin Vulnerabilities, published a Proof-of Concept which allows for attackers to develop exploits and specifically go after sites that have the two plugins installed. WordPress.org forums have undergone a process that bans the disclosure of vulnerabilities through the site and requests that they are sent by email to the WordPress team. Instead, the security firm disregarded the ban and uploaded the flaws, which resulted in their accounts being deactivated. Once their accounts were banned, the team went to their blogs and released in-depth details and PoC code regarding the vulnerabilities. Users can take a look at WPScan Vulnerability Database which can let them know if there are any known vulnerabilities associated with the plugins that they want to download. If plugins are downloaded and used, they should be updated regularly, as well as all other aspects of the site. If certain plugins are not being used, then users should delete them.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is