Facebook Chat Plugin Vulnerability Allows Hackers to Access Sites
CVE-2020-36838

7.4HIGH

Key Information:

Vendor: Wordpress
Status: Facebook Chat Plugin – Live Chat Plugin For WordPress
Vendor: CVE Published:; 16 October 2024

Summary

The Facebook Chat Plugin for WordPress is susceptible to a significant security flaw that enables low-level authenticated attackers to bypass authorization mechanisms. This vulnerability arises from the absence of a requisite capability check within the wp_ajax_update_options function. As a result, attackers can connect their own Facebook Messenger accounts to any website utilizing the affected plugin, thereby facilitating unauthorized communications with site visitors. This poses a considerable risk to the integrity and trustworthiness of interactions on sites employing this plugin, creating opportunities for social engineering attacks and unauthorized messaging.

Affected Version(s)

Facebook Chat Plugin – Live Chat Plugin for WordPress * < 1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wordfence.com/blog/2020/08/the-official-faceb...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Chloe Chamberland