Irked Researcher Discloses Facebook WordPress Plugin Flaws

[silversurfer]

A WordPress security researcher claims he has found two WordPress plugins developed by Facebook called Facebook for WooCommerce and Messenger Customer Chat. The researcher claims both have cross-site request forgery flaws. The researcher published the bugs on the Plugin Vulnerabilities website, disclosing the flaws ahead of notifying the vendor in what it says is a protest against moderators of the WordPress Support Forum.
 
According to the firm, both plugins, developed by Facebook, are widely used. Messenger Customer Chat, with 200,000 installs, allows customers to integrate Facebook’s chat tool on their WordPress websites to interact with customers. The Facebook for WooCommerce, with 20,000 installs, allows users to connect their WooCommerce products to Facebook.
 
Because researcher did not disclose the plugins responsibly and allow a patch to be made available to effected websites ahead of disclosure, Threatpost will limit information and links associated with the researcher’s report. It is not the first time the researcher has reported flaws in WordPress plugins before patches were made available. Subsequently, the researcher and Plugin Vulnerabilities have been a lightning for criticism in the infosec space.
 
The flaws were made public by Plugin Vulnerabilities on Monday via its website and Twitter account.
Facebook did not respond to multiple requests for comment from Threatpost.

SOURCE: https://threatpost.com/irked-researcher-...ws/145771/