Critical XSS Vulnerability in FB messenger live chat
Updated on: March 29, 2020
Aakanchha Keshri
4 mins read
Article Summary
Owing to the widespread presence of WordPress, hackers, in fact try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never ending process. This time its Fb messenger live chat by Zotabox. So, FB messenger live chat by Zotabox has recently been disclosed to have persistent XSS vulnerability.
Owing to the widespread presence of WordPress, hackers, in fact, try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never-ending process. This time its FB messenger live chat by Zotabox. So, a persistent XSS vulnerability in FB messenger live chat by Zotabox is uncovered.
This WordPress plugin has more than 30,000 active installations as per the official WordPress plugin directory. According to WordPress.org, it has been updated a day ago with a newer version 1.4.9 of patched vulnerability.
Details of the XSS vulnerability in FB messenger live chat
Through the WordPress AJAX functionality, which is responsible for sending data to script and then receiving the data back without needing to reload the page, the function update_zb_fbc_code is accessible to anyone.
As you will see in the following lines of code that wp_ajax_update_zb_fbc_code (for authenticated users) & wp_ajax_nopriv_update_zb_fbc_code (for no privileged users), both use the same function “update_zb_fbc_code“. Thus, allowing any user (logged in or not) to modify the plugin settings. I can not emphasize it enough just how critical a vulnerability it is and in what ways it could be misused.
154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");Moreover, the update_zb_fbc_code function does not check doesn’t possess capabilities to check or a check to prevent cross-site request forgery (CSRF) before allowing the plugin settings to be changed. Further, the sanitization and validation of the input to modify the settings by this function is very limited. The only filtering is does is sanitizing the (), which is insufficient as the changed settings are rendered on the front end.
157 function update_zb_fbc_code(){
158 header('Access-Control-Allow-Origin: *');
159 header('Access-Control-Allow-Credentials: true');
160 $domain = addslashes($_REQUEST['domain']);
161 $public_key = addslashes($_REQUEST['access']);
162 $id = intval($_REQUEST['customer']);
163 $zbEmail = addslashes($_REQUEST['email']);
164 if(!isset($domain) || empty($domain)){
165 header("Location: ".admin_url()."admin.php?page=zb_fbc");
166 }else{
167 update_option( 'ztb_domainid', $domain );
168 update_option( 'ztb_access_key', $public_key );
169 update_option( 'ztb_id', $id );
170 update_option( 'ztb_email', $zbEmail );
171 update_option( 'ztb_status_disconnect', 2 );
172 wp_send_json( array(
173 'error' => false,
174 'message' => 'Update Zotabox embedded code successful !'
175 )
176 );
177 }
178 }Due to this XSS vulnerability in FB messenger live chat, the succeeding processes are also affected. The plugin registers insert_zb_fbc_code() to be run when WordPress pages are loaded:
151 add_action( 'wp_head', 'insert_zb_fbc_code' );Then this gets transmitted to print_zb_fbc_code() function and so on.
139 function insert_zb_fbc_code(){
140 if(!is_admin()){
141 $domain = get_option( 'ztb_domainid', '' );
142 $ztb_source = get_option('ztb_source','');
143 $ztb_status_disconnect = get_option('ztb_status_disconnect','');
144 $connected = 2;
145 if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147 print_r(html_entity_decode(print_zb_fbc_code($domain)));
148 }
149 }
150 }180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
181
182 $ds1 = substr($domainSecureID, 0, 1);
183 $ds2 = substr($domainSecureID, 1, 1);
184 $baseUrl = '//static.zotabox.com';
185 $code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var z=d.createElement(s);z.type="text/javascript";z.id=id;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
189 STRING;
190 return $code;
191 }Update to be safe
The most obvious yet crucial safety measure is to update to the patched version of the plugin. The FB messenger live chat plugin has been updated to version 1.4.9. Make sure you update to this version as soon as possible to mitigate any exploitation attempts.
Further, a strong sanitizing and validating system can prevent your website from cases like XSS and CSRF etc.
A comprehensive Security Solution
Taking security for granted will cost you very dearly in these times. Having a continuous and comprehensive monitoring system for your website will go a long way in securing your website. Security solutions like Astra WordPress Security Suite, tailored for WordPress can be a saviour. Astra offers Firewall for your website, which puts a barrier against XSS, CSRF, Bad bots, SQLi and 100+ other possible attacks. Get an Astra demo now or drop us a message here, and we will be happy to help.
Aakanchha Keshri
