CyberNews Briefs

Disgruntled security firm discloses zero-days in Facebook’s WordPress plugins

A security firm holding a grudge against WordPress recently released proof-of-concept (PoC) code for two zero-days affecting two official Facebook plugins for WordPress. The impacted plugins are “Messenger Customer Chat” (20,000 installations) and “Facebook for WooCommerce” (200,000 installations). The flaws are tricky to exploit, but can enable threat actors to take over vulnerable websites.

The security company that released the zero-days specializes in researching WordPress flaws. Initially the firm would always post new vulnerabilities on the WordPress.org forums. When the forum stopped allowing this practice a few years ago, the researchers refused to change their approach, resulting in them getting banned from the forums. Instead of following the official route for responsible disclosure to WordPress, the firm started posting zero-days on their blog, thereby putting plugin users at risk. The same happened in this case.

Read more: Disgruntled security firm discloses zero-days in Facebook’s WordPress plugins

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.