Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

It’s true that due to WordPress’s widespread presence, hackers are desperately trying to make almost any popular WordPress plugin past. Accordingly, vulnerability divulgence in WordPress plugins nearly appearing like an endless exercise. This time it’s the Zotabox’s Live Chat with Facebook Messenger Plugin. Thus, a persevering critical XSS vulnerability in Live Chat with Facebook Messenger by Zotabox is revealed.

According to the official WordPress plugin directory, this WordPress plugin has far more than 30,000 + active installations. As indicated by WordPress.org, it has been updated a day back with a more up to date newer version 1.4.9 of patched vulnerability.

new_releases

GDPR Deadlock: General Data Protection Regulation Principles Are Simple Yet Ad-Hoc For Many

Live Chat With Facebook Messenger Plugin XSS Vulnerability Details

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Details

The function update_zb_fbc_code is accessible to anyone through the use of the WordPress AJAX functionality, which is responsible for sending data to the script and then receiving the data back without reloading the page.

That you can see in the following code lines, wp_ajax_update_zb_fbc_code (for authorized users) and wp_ajax_nopriv_update_zb_fbc_code (for unauthorized users) all use the same “update_zb_fbc_code” function. Hence, the plugin settings can be modified by any user (logged in or not). We cannot sufficiently emphasize how critical it is for a vulnerability and how it can be abused.

new_releases

Electron Framework Vulnerabilities: Securing The Electron Apps Backdoor


154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

In addition, the update_zb_fbc_code function doesn’t even have the ability to check or check to prevent cross-site request forgery (CSRF) before the plugin settings can be modified. In conjunction, it is also very limited to sanitize and validate the input to modify the settings with this function. The one and only way to filter is to sanitize the (), which is completely inadequate as the changed settings on the front end are already rendered.


157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }

new_releases

What Is Sircam Virus And How Its Legacy Began?

The superseding processes are also impacted due to this critical XSS vulnerability in Live Chat with Facebook Messenger. The plugin records the insert_zb_fbc_code() to be executed when loading WordPress pages:


151 add_action( 'wp_head', 'insert_zb_fbc_code' );

This will also be transmitted to the function print_zb_fbc_code() and so forth.


139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }

new_releases

Apache Struts Summoned For Issuing Misleading Security Advisories


180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
181
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//static.zotabox.com';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";z.id=id;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
189 STRING;
190	return $code;
191 }

new_releases

Top 21 Cyber Security Threats And How Threat Intelligence Can Help You

Diligently Update In Order To Be Safe

Updating to the patched version of the Live Chat with Facebook Messenger plugin is by far the most obvious yet crucial safety mechanism. The Live Chat with Facebook Messenger plugin by Zotabox has already been updated to version 1.4.9. Ensure you update to this version as quickly as time permits to mitigate any abuse endeavors.

In relation, a robust system for sanitizing and validating your website from instances such as SQLi, XSS and CSRF, etc.

new_releases

Hack Back Bill: What Does The Bill Mean For Your Business?

A Comprehensive Solution For Security

At such points of time, taking security for granted will cost you a lot of cash. Securing your website with a continuous and a comprehensive monitoring system would go a long way in securing your website. Security solutions such as Sucuri, the Cloudflare Security Suite can be a savior.

Sucuri, Cloudflare both provides your website with a Firewall that puts a barrier against SQLi, CSRF, Bad Bots, XSS and 300 + other potential attacks.

, , , , , , , , , , , , ,
Previous Post
Cybersecurity For SEO: How Website Security Impacts In Google Ranking
Next Post
Advanced Mobile SEO TIPS For Mobile-First Index Mobile Marketing

Related Posts

2 Comments. Leave new

  • Zotabox Marketing Tools
    August 22, 2019 7:57 AM

    Thank you for this article. Zotabox Patched this vunerability the same day we were notified by WP and emailed everyone affected 3 times. We recommend users UPDATE our PLUGIN. Then de-activate and activate again to remove bad scriPt. We are sorry for any inconvenience caused.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest