Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Last Updated: 24th July, 2022

It’s true that due to WordPress’s widespread presence, hackers are desperately trying to make almost any popular WordPress plugin past. Accordingly, vulnerability divulgence in WordPress plugins nearly appearing like an endless exercise. This time it’s the Zotabox’s Live Chat with Facebook Messenger Plugin. Thus, a persevering critical XSS vulnerability in Live Chat with Facebook Messenger by Zotabox is revealed.

According to the official WordPress plugin directory, this WordPress plugin has far more than 30,000 + active installations. As indicated by, it has been updated a day back with a more up to date newer version 1.4.9 of patched vulnerability.


Social Media Cybersecurity 2020: The Rise Of Social Media Threats

Live Chat With Facebook Messenger Plugin XSS Vulnerability Details

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Details

The function update_zb_fbc_code is accessible to anyone through the use of the WordPress AJAX functionality, which is responsible for sending data to the script and then receiving the data back without reloading the page.

That you can see in the following code lines, wp_ajax_update_zb_fbc_code (for authorized users) and wp_ajax_nopriv_update_zb_fbc_code (for unauthorized users) all use the same “update_zb_fbc_code” function. Hence, the plugin settings can be modified by any user (logged in or not). We cannot sufficiently emphasize how critical it is for a vulnerability and how it can be abused.


2021 Cybersecurity Wishlist For CISOs – Answered

154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

In addition, the update_zb_fbc_code function doesn’t even have the ability to check or check to prevent cross-site request forgery (CSRF) before the plugin settings can be modified. In conjunction, it is also very limited to sanitize and validate the input to modify the settings with this function. The one and only way to filter is to sanitize the (), which is completely inadequate as the changed settings on the front end are already rendered.

157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }


Korean SEO Spam: What Is Korean SEO Spam And How Can You Remove It

The superseding processes are also impacted due to this critical XSS vulnerability in Live Chat with Facebook Messenger. The plugin records the insert_zb_fbc_code() to be executed when loading WordPress pages:

151 add_action( 'wp_head', 'insert_zb_fbc_code' );

This will also be transmitted to the function print_zb_fbc_code() and so forth.

139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }


PSD2 (Second Payment Services Directive): Security Practices Payment Standards

180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
190	return $code;
191 }


Information Security: Objectives, Types, And Applications Simplified

Diligently Update In Order To Be Safe

Updating to the patched version of the Live Chat with Facebook Messenger plugin is by far the most obvious yet crucial safety mechanism. The Live Chat with Facebook Messenger plugin by Zotabox has already been updated to version 1.4.9. Ensure you update to this version as quickly as time permits to mitigate any abuse endeavors.

In relation, a robust system for sanitizing and validating your website from instances such as SQLi, XSS and CSRF, etc.


IAM: Has Identity And Access Management Models Become A Despondency In Businesses?

A Comprehensive Solution For Security

At such points of time, taking security for granted will cost you a lot of cash. Securing your website with a continuous and a comprehensive monitoring system would go a long way in securing your website. Security solutions such as Sucuri, the Cloudflare Security Suite can be a savior.

Sucuri, Cloudflare both provides your website with a Firewall that puts a barrier against SQLi, CSRF, Bad Bots, XSS and 300 + other potential attacks.

, , , , , , , , , , , , ,
Previous Post
Cybersecurity For SEO: How Website Security Impacts In Google Ranking
Next Post
Advanced Mobile SEO TIPS For Mobile-First Index Mobile Marketing

Related Posts

2 Comments. Leave new

  • Zotabox Marketing Tools
    August 22, 2019 7:57 AM

    Thank you for this article. Zotabox Patched this vunerability the same day we were notified by WP and emailed everyone affected 3 times. We recommend users UPDATE our PLUGIN. Then de-activate and activate again to remove bad scriPt. We are sorry for any inconvenience caused.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed