Critical XSS Vulnerability in FB messenger live chat

Owing to the widespread presence of WordPress, hackers, in fact, try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never-ending process. This time its FB messenger live chat by Zotabox. So, a persistent XSS vulnerability in FB messenger live chat by Zotabox is uncovered.

This WordPress plugin has more than 30,000 active installations as per the official WordPress plugin directory. According to WordPress.org, it has been updated a day ago with a newer version 1.4.9 of patched vulnerability.

FB messenger live chat in WordPress

Details of the XSS vulnerability in FB messenger live chat

Through the WordPress AJAX functionality, which is responsible for sending data to script and then receiving the data back without needing to reload the page, the function update_zb_fbc_code is accessible to anyone.

As you will see in the following lines of code that wp_ajax_update_zb_fbc_code (for authenticated users) & wp_ajax_nopriv_update_zb_fbc_code (for no privileged users), both use the same function “update_zb_fbc_code“. Thus, allowing any user (logged in or not) to modify the plugin settings. I can not emphasize it enough just how critical a vulnerability it is and in what ways it could be misused.

154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

Moreover, the update_zb_fbc_code function does not check doesn’t possess capabilities to check or a check to prevent cross-site request forgery (CSRF) before allowing the plugin settings to be changed. Further, the sanitization and validation of the input to modify the settings by this function is very limited. The only filtering is does is sanitizing the (), which is insufficient as the changed settings are rendered on the front end.

157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }

Due to this XSS vulnerability in FB messenger live chat, the succeeding processes are also affected. The plugin registers insert_zb_fbc_code() to be run when WordPress pages are loaded:

151 add_action( 'wp_head', 'insert_zb_fbc_code' );

Then this gets transmitted to print_zb_fbc_code() function and so on.

139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }
180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
181
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//static.zotabox.com';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";z.id=id;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
189 STRING;
190	return $code;
191 }

Update to be safe

The most obvious yet crucial safety measure is to update to the patched version of the plugin. The FB messenger live chat plugin has been updated to version 1.4.9. Make sure you update to this version as soon as possible to mitigate any exploitation attempts.

Further, a strong sanitizing and validating system can prevent your website from cases like XSS and CSRF etc.

A comprehensive Security Solution

Taking security for granted will cost you very dearly in these times. Having a continuous and comprehensive monitoring system for your website will go a long way in securing your website. Security solutions like Astra WordPress Security Suite, tailored for WordPress can be a saviour. Astra offers Firewall for your website, which puts a barrier against XSS, CSRF, Bad bots, SQLi and 100+ other possible attacks. Get an Astra demo now or drop us a message here, and we will be happy to help.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

Aakanchha is a tech & cybersecurity enthusiast. She is an active reader and writer of the cybersecurity genre.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close