Facebook Plugin Vulnerability Could Allow Threat Actors to Hijack WordPress Websites Chat

On August 4, 2020, details were released regarding a new vulnerability that is associated with the Facebook chat plugin version 1.5, which is installed on over 80,000 WordPress websites. The Facebook Chat plugin allows WordPress website owners to embed a chat pop-up to communicate with visitors in real-time through Facebook’s messaging platform for Facebook Pages. Security researchers identified the vulnerability on June 26, 2020, which has been rated as “High” in severity with a CVSS score of 7.4. According to the researchers, the vulnerability resided on the plugin “wp_ajax_update_options” AJAX action that does not verify if the page connection requested came from the authenticated website administrators. Additionally, any authenticated users, including subscriber level accounts can send a request to update the options and link their own Facebook Messenger account. After successfully linking their own Facebook page to the targeted site’s chat, the authenticated attackers can engage in chat sessions with the site visitors that can lead to a social engineering attack to retrieve sensitive information.

The findings were reported to Facebook and they released a patch on July 28, 2020. Nuspire recommend WordPress website owners update their Facebook Chat plugin to version 1.6 to prevent the risk of exploitation.