A security firm holding a grudge against WordPress recently released proof-of-concept (PoC) code for two zero-days affecting two official Facebook plugins for WordPress. The impacted plugins are “Messenger Customer Chat” (20,000 installations) and “Facebook for WooCommerce” (200,000 installations). The flaws are tricky to exploit, but can enable threat actors to take over vulnerable websites.
The security company that released the zero-days specializes in researching WordPress flaws. Initially the firm would always post new vulnerabilities on the WordPress.org forums. When the forum stopped allowing this practice a few years ago, the researchers refused to change their approach, resulting in them getting banned from the forums. Instead of following the official route for responsible disclosure to WordPress, the firm started posting zero-days on their blog, thereby putting plugin users at risk. The same happened in this case.
Read more: Disgruntled security firm discloses zero-days in Facebook’s WordPress plugins