Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Updated On:

It’s true that due to WordPress’s widespread presence, hackers are desperately trying to make almost any popular WordPress plugin past. Accordingly, vulnerability divulgence in WordPress plugins nearly appearing like an endless exercise. This time it’s the Zotabox’s Live Chat with Facebook Messenger Plugin. Thus, a persevering critical XSS vulnerability in Live Chat with Facebook Messenger by Zotabox is revealed.

According to the official WordPress plugin directory, this WordPress plugin has far more than 30,000 + active installations. As indicated by WordPress.org, it has been updated a day back with a more up to date newer version 1.4.9 of patched vulnerability.

new_releases

What Is Search Engine Blacklist By Google, Bing, Yandex, McAfee, Norton

Live Chat With Facebook Messenger Plugin XSS Vulnerability Details

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Details

The function update_zb_fbc_code is accessible to anyone through the use of the WordPress AJAX functionality, which is responsible for sending data to the script and then receiving the data back without reloading the page.

That you can see in the following code lines, wp_ajax_update_zb_fbc_code (for authorized users) and wp_ajax_nopriv_update_zb_fbc_code (for unauthorized users) all use the same “update_zb_fbc_code” function. Hence, the plugin settings can be modified by any user (logged in or not). We cannot sufficiently emphasize how critical it is for a vulnerability and how it can be abused.

new_releases

Stealthy Crypto-Miner “Norman” Discovered By Security Analysts


154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

In addition, the update_zb_fbc_code function doesn’t even have the ability to check or check to prevent cross-site request forgery (CSRF) before the plugin settings can be modified. In conjunction, it is also very limited to sanitize and validate the input to modify the settings with this function. The one and only way to filter is to sanitize the (), which is completely inadequate as the changed settings on the front end are already rendered.


157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }

new_releases

World Wide Web (WWW): Turns 30! Google Observes With An Analog Doodle On 12th March

The superseding processes are also impacted due to this critical XSS vulnerability in Live Chat with Facebook Messenger. The plugin records the insert_zb_fbc_code() to be executed when loading WordPress pages:


151 add_action( 'wp_head', 'insert_zb_fbc_code' );

This will also be transmitted to the function print_zb_fbc_code() and so forth.


139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }

new_releases

Your IP Address May Be Breaching Your Privacy More Than You Know


180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
181
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//static.zotabox.com';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";z.id=id;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
189 STRING;
190	return $code;
191 }

new_releases

Git Repositories Hacked: Including GitHub, GitLab & BitBucket Elongated Channels

Diligently Update In Order To Be Safe

Updating to the patched version of the Live Chat with Facebook Messenger plugin is by far the most obvious yet crucial safety mechanism. The Live Chat with Facebook Messenger plugin by Zotabox has already been updated to version 1.4.9. Ensure you update to this version as quickly as time permits to mitigate any abuse endeavors.

In relation, a robust system for sanitizing and validating your website from instances such as SQLi, XSS and CSRF, etc.

new_releases

How To Show Last Updated Date In WordPress Posts

A Comprehensive Solution For Security

At such points of time, taking security for granted will cost you a lot of cash. Securing your website with a continuous and a comprehensive monitoring system would go a long way in securing your website. Security solutions such as Sucuri, the Cloudflare Security Suite can be a savior.

Sucuri, Cloudflare both provides your website with a Firewall that puts a barrier against SQLi, CSRF, Bad Bots, XSS and 300 + other potential attacks.

Previous Post
Cybersecurity For SEO: How Website Security Impacts In Google Ranking
Next Post
Advanced Mobile SEO TIPS For Mobile-First Index Mobile Marketing

Related Posts

2 Comments. Leave new

  • Zotabox Marketing Tools
    August 22, 2019 7:57 AM

    Thank you for this article. Zotabox Patched this vunerability the same day we were notified by WP and emailed everyone affected 3 times. We recommend users UPDATE our PLUGIN. Then de-activate and activate again to remove bad scriPt. We are sorry for any inconvenience caused.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest