Last Updated: 24th July, 2022

It’s true that due to WordPress’s widespread presence, hackers are desperately trying to make almost any popular WordPress plugin past. Accordingly, vulnerability divulgence in WordPress plugins nearly appearing like an endless exercise. This time it’s the Zotabox’s Live Chat with Facebook Messenger Plugin. Thus, a persevering critical XSS vulnerability in Live Chat with Facebook Messenger by Zotabox is revealed.

According to the official WordPress plugin directory, this WordPress plugin has far more than 30,000 + active installations. As indicated by WordPress.org, it has been updated a day back with a more up to date newer version 1.4.9 of patched vulnerability.

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Details

The function update_zb_fbc_code is accessible to anyone through the use of the WordPress AJAX functionality, which is responsible for sending data to the script and then receiving the data back without reloading the page.

That you can see in the following code lines, wp_ajax_update_zb_fbc_code (for authorized users) and wp_ajax_nopriv_update_zb_fbc_code (for unauthorized users) all use the same “update_zb_fbc_code” function. Hence, the plugin settings can be modified by any user (logged in or not). We cannot sufficiently emphasize how critical it is for a vulnerability and how it can be abused.

154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

In addition, the update_zb_fbc_code function doesn’t even have the ability to check or check to prevent cross-site request forgery (CSRF) before the plugin settings can be modified. In conjunction, it is also very limited to sanitize and validate the input to modify the settings with this function. The one and only way to filter is to sanitize the (), which is completely inadequate as the changed settings on the front end are already rendered.

157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }

The superseding processes are also impacted due to this critical XSS vulnerability in Live Chat with Facebook Messenger. The plugin records the insert_zb_fbc_code() to be executed when loading WordPress pages:

151 add_action( 'wp_head', 'insert_zb_fbc_code' );

This will also be transmitted to the function print_zb_fbc_code() and so forth.

139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }

180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
181
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//static.zotabox.com';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";z.id=id;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
189 STRING;
190	return $code;
191 }

Diligently Update In Order To Be Safe

Updating to the patched version of the Live Chat with Facebook Messenger plugin is by far the most obvious yet crucial safety mechanism. The Live Chat with Facebook Messenger plugin by Zotabox has already been updated to version 1.4.9. Ensure you update to this version as quickly as time permits to mitigate any abuse endeavors.

In relation, a robust system for sanitizing and validating your website from instances such as SQLi, XSS and CSRF, etc.

A Comprehensive Solution For Security

At such points of time, taking security for granted will cost you a lot of cash. Securing your website with a continuous and a comprehensive monitoring system would go a long way in securing your website. Security solutions such as Sucuri, the Cloudflare Security Suite can be a savior.

Sucuri, Cloudflare both provides your website with a Firewall that puts a barrier against SQLi, CSRF, Bad Bots, XSS and 300 + other potential attacks.