Serious bug found in official Facebook WordPress chat plugin allows attackers to intercept messages
A critical vulnerability in the official Facebook WordPress chat plugin allows any potential hacker to intercept any message of the Facebook user or connect with any Facebook user who visited the website. The vulnerability was discovered by security researchers of Wordfence who specialize in WordPress vulnerabilities.
The Official Facebook Chat Plugin is used by nearly 80,000 WordPress CMS powered websites and is used by website owners to enable their visitors to chat with them. The Wordfence’s threat intelligence team discovered that any low-level hacker to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. The vulnerability has a high CVSS score of 7.4.
As a result of the flaw, unknown hackers could link their own Facebook Page Messenger account, by updating the page ID, to any given site running the plugin as long as they were able to register on the site and access the /wp-admin dashboard. The attacker would then receive any messages initiated from the site’s Messenger Chat, and the site owner would no longer receive any messages initiated from the chat.
Researchers initially reached out to Facebook on June 26, 2020, and included the full disclosure details at the time of reaching out. Facebook acknowledged the vulnerability and released a patch on July 28, 2020.
If you are using the Official Facebook Chat Plugin, you should update it immediately to version 1.6 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.