Disgruntled security firm discloses zero-days in Facebook's WordPress plugins

Zero-days disclosed in "Facebook for WooCommerce" and "Messenger Customer Chat."
Written by Catalin Cimpanu, Contributor

A US-based cyber-security firm has published details about two zero-days that impact two of Facebook's official WordPress plugins.

The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.

Impacted plugins

The two zero-days impact "Messenger Customer Chat," a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and "Facebook for WooCommerce," a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.

The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 -- with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.

Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.

The grudge

Nevertheless, despite the bad reputation, today, the security of all users who installed these extensions was put at risk because of a stupid grudge between a Denver-based company called White Fir Design LLC (dba Plugin Vulnerabilities), and the WordPress forum moderation team.

In a dispute that's been raging for years, the Plugin Vulnerabilities team decided they wouldn't follow a policy change on the WordPress.org forums that banned users from disclosing security flaws through the forums, and instead required security researchers email the WordPress team, which would then contact plugin owners.

For the past years, the Plugin Vulnerabilities team has been disclosing security flaws on the WordPress forums in spite of this rule -- and having its forum accounts banned as a result of their rule-breaking behavior.

Things escalated this past spring when the Plugin Vulnerabilities team decided to take their protest a step further.

Instead of creating topics on the WordPress.org forums to warn users about security flaws, they also started publishing blog posts on their site with in-depth details and PoC code about the vulnerabilities they were finding.

They disclosed security flaws this way for WordPress plugins such as Easy WP SMTP, Yuzo Related Posts, Social Warfare, Yellow Pencil Plugin, and WooCommerce Checkout Manager

Hackers quickly caught on, and many of the details the Plugin Vulnerabilities published on their site were integrated into active malware campaigns, some of which led to the compromise of some pretty big websites, along the way.

Not that dangerous -- but still zero-days

Today, the Plugin Vulnerabilities team has continued their spree of dropping zero-days instead of working with plugin authors to fix the vulnerabilities.

They published details about two cross-site request forgery (CSRF) flaws that impact the two aforementioned Facebook WordPress plugins.

The two flaws allow authenticated users to alter WordPress site options. The vulnerabilities aren't as dangerous as the ones revealed earlier this year, as they require a little bit of social engineering where a registered user clicks on a malicious link, or an attacker manages to register an account on a website they want to attack. They might be harder to exploit, but they do allow attackers to take over sites.

Nonetheless, just like before, the Plugin Vulnerabilities team completely ignored proper cyber-security etiquette and published details on their blog instead of contacting Facebook in private to have the bugs resolved.

A message was posted on the WordPress.org forums but was deleted according to the site's policy.

In an explainer the company posted on its blog, Plugin Vulnerabilities tried to justify its course of action by claiming Facebook's bug bounty program isn't clear if the company's WordPress plugins are eligible for rewards, and tried to pin the blame on the social network for limiting access to the program only for users with a Facebook account.

Their excuses are flimsy, to say the least, as their record of past disclosures shows they aren't really trying that hard to notify developers, and are merely making a spectacle on the WordPress forums about their ability to find vulnerabilities as part of some misguided marketing stunt for a commercial WordPress security plugin they are managing.

For obvious reasons, the Plugin Vulnerabilities team is not very well liked in the WordPress community right now.

WordPress 5.0 is out. Here's a tour of the new features!

More vulnerability reports:

Editorial standards