A WordPress security researcher claims he has found two WordPress plugins developed by Facebook called Facebook for WooCommerce and Messenger Customer Chat. The researcher claims both have cross-site request forgery flaws. The researcher published the bugs on the Plugin Vulnerabilities website, disclosing the flaws ahead of notifying the vendor in what it says is a protest against moderators of the WordPress Support Forum.
According to the firm, both plugins, developed by Facebook, are widely used. Messenger Customer Chat, with 200,000 installs, allows customers to integrate Facebook’s chat tool on their WordPress websites to interact with customers. The Facebook for WooCommerce, with 20,000 installs, allows users to connect their WooCommerce products to Facebook.
Because researcher did not disclose the plugins responsibly and allow a patch to be made available to effected websites ahead of disclosure, Threatpost will limit information and links associated with the researcher’s report. It is not the first time the researcher has reported flaws in WordPress plugins before patches were made available. Subsequently, the researcher and Plugin Vulnerabilities have been a lightning rod for criticism in the infosec space.
The flaws were made public by Plugin Vulnerabilities on Monday via its website and Twitter account. Facebook for its part confirmed that a fix for the bugs has been issued in an email with Threatpost.
“We are dedicated to the safety and security of the Messenger community, and recently fixed a minor bug impacting two chat plugins on WordPress,” a Facebook spokesperson told Threatpost on Tuesday. “We are not aware of anyone who was affected by this bug, and we are grateful to the security research community for their efforts to help keep Messenger safe. Our priority is creating the best experience for people on Messenger.”
Plugin Vulnerabilities on Monday claimed that the two plugins in question are missing checks that would prevent cross-site request forgery (CSRF/XSRF) attacks. It also alleges that Messenger Customer Chat is missing a capabilities check that limits what type of users can access it.
A cross-site request forgery is a type of attack that exploits the HTTP protocol. For example, a target can be forced to execute unwanted actions (changing their email, transferring funds, etc.) when opening a web-based application allowing the forger to manipulate the process to their own advantage.
When it comes to Messenger Customer Chat, “due to the sanitization, what this vulnerability could lead to is limited to disabling the functionality of the plugin or placing a message on the website’s pages, as the value of the option is placed at the bottom of frontend pages,” according to the company.
Facebook for WooCommerce also was found to be missing a nonce needed to prevent CSRF conditions. According to Facebook for WooCommerce’s page on the plugin repository guide, the plugin also hasn’t been tested with the latest three major releases of WordPress, according to Plugin Vulnerabilities.
“It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress,” according to the page.
Plugin Vulnerabilities has drawn backlash for its handling of disclosures around plugin vulnerabilities. The website has published disclosures and proof of concepts of plugins such as WooCommerce Checkout Manager extension, Yellow Pencil Plugin, Social Warfareas well as Yuzo Related Posts– many of which came under active exploit not long after the proof of concept and vulnerabilities were disclosed.
Plugin Vulnerabilities said on its website that it is disclosing these flaw in protest of “continued inappropriate behavior” by the moderators of the WordPress Support Forum.
“Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum,” according to Plugin Vulnerabilities’ post.
“Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon),” according to the post. “You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).”
These tactics have drawn criticism. A recent Medium post outlined how the website’s actions are “seriously undermining the security of the WordPress ecosystem.”
“Since pluginvulnerabilities.com is not agreeing to the rules of WordPress support forums and their fake accounts are being banned, they decided to start blackmailing WordPress.org,” the post said. “They demand WordPress.org to “clean up the moderation” or they will continue to undermine the security of the WordPress ecosystem by disclosing plugin security vulnerabilities to hackers without reaching out to developers first.”
A spokesperson for the plugin review team at WordPress.org Plugin Directory (which is a separate team from the forum moderators) told Threatpost that Plugin Vulnerabilities was breaking a policy of the support forums by posting zero days in the forums.
“They were told not to and to email us here instead so we could reach out to the developer directly,” the spokesperson told Threatpost. “For whatever reason, they decided to instead continue to release 0-days without attempting to privately contact the plugin developers. They seem to be conflating the plugin review team’s actions (to contact developers and get things fixed) with the forum team’s actions (to remove 0-days from the forums).”
“We don’t claim to be perfect with regards to making sure every single possible vulnerability is fixed, but we’re certainly trying our best :/ They aren’t making it easy,” according to the spokesperson.
This story was updated on June 18 with a comment from Facebook.