Plugin Exploit

Critical XSS Vulnerability in FB messenger live chat

Updated on: March 29, 2020

Critical XSS Vulnerability in FB messenger live chat

Article Summary

Owing to the widespread presence of WordPress, hackers, in fact try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never ending process. This time its Fb messenger live chat by Zotabox. So, FB messenger live chat by Zotabox has recently been disclosed to have persistent XSS vulnerability.

Owing to the widespread presence of WordPress, hackers, in fact, try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never-ending process. This time its FB messenger live chat by Zotabox. So, a persistent XSS vulnerability in FB messenger live chat by Zotabox is uncovered.

This WordPress plugin has more than 30,000 active installations as per the official WordPress plugin directory. According to, it has been updated a day ago with a newer version 1.4.9 of patched vulnerability.

FB messenger live chat in WordPress

Details of the XSS vulnerability in FB messenger live chat

Through the WordPress AJAX functionality, which is responsible for sending data to script and then receiving the data back without needing to reload the page, the function update_zb_fbc_code is accessible to anyone.

As you will see in the following lines of code that wp_ajax_update_zb_fbc_code (for authenticated users) & wp_ajax_nopriv_update_zb_fbc_code (for no privileged users), both use the same function “update_zb_fbc_code“. Thus, allowing any user (logged in or not) to modify the plugin settings. I can not emphasize it enough just how critical a vulnerability it is and in what ways it could be misused.

154 add_action("wp_ajax_update_zb_fbc_code", "update_zb_fbc_code");
155 add_action("wp_ajax_nopriv_update_zb_fbc_code", "update_zb_fbc_code");

Moreover, the update_zb_fbc_code function does not check doesn’t possess capabilities to check or a check to prevent cross-site request forgery (CSRF) before allowing the plugin settings to be changed. Further, the sanitization and validation of the input to modify the settings by this function is very limited. The only filtering is does is sanitizing the (), which is insufficient as the changed settings are rendered on the front end.

157 function update_zb_fbc_code(){
158	header('Access-Control-Allow-Origin: *');
159   header('Access-Control-Allow-Credentials: true');
160	$domain = addslashes($_REQUEST['domain']);
161	$public_key = addslashes($_REQUEST['access']);
162	$id = intval($_REQUEST['customer']);
163	$zbEmail = addslashes($_REQUEST['email']);
164	if(!isset($domain) || empty($domain)){
165		header("Location: ".admin_url()."admin.php?page=zb_fbc");
166	}else{
167		update_option( 'ztb_domainid', $domain );
168		update_option( 'ztb_access_key', $public_key );
169		update_option( 'ztb_id', $id );
170		update_option( 'ztb_email', $zbEmail );
171		update_option( 'ztb_status_disconnect', 2 );
172		wp_send_json( array(
173			'error' => false,
174			'message' => 'Update Zotabox embedded code successful !' 
175			)
176		);
177	}
178 }

Due to this XSS vulnerability in FB messenger live chat, the succeeding processes are also affected. The plugin registers insert_zb_fbc_code() to be run when WordPress pages are loaded:

151 add_action( 'wp_head', 'insert_zb_fbc_code' );

Then this gets transmitted to print_zb_fbc_code() function and so on.

139 function insert_zb_fbc_code(){
140	if(!is_admin()){
141		$domain = get_option( 'ztb_domainid', '' );
142		$ztb_source = get_option('ztb_source','');
143		$ztb_status_disconnect = get_option('ztb_status_disconnect','');
144		$connected = 2;
145		if(!empty($domain) && strlen($domain) > 0 && $ztb_status_disconnect == 146$connected){
147			print_r(html_entity_decode(print_zb_fbc_code($domain)));
148		}
149	}
150 }
180 function print_zb_fbc_code($domainSecureID = "", $isHtml = false) {
182	$ds1 = substr($domainSecureID, 0, 1);
183	$ds2 = substr($domainSecureID, 1, 1);
184	$baseUrl = '//';
185	$code = <<<STRING
186 <script type="text/javascript">
187 (function(d,s,id){var   z=d.createElement(s);z.type="text/javascript";;z.async=true;z.src=" {$baseUrl}/{$ds1}/{$ds2}/{$domainSecureID}/widgets.js";var sz=d.getElementsByTagName(s)[0];sz.parentNode.insertBefore(z,sz)}(document,"script","zb-embed-code"));
188 </script>
190	return $code;
191 }

Update to be safe

The most obvious yet crucial safety measure is to update to the patched version of the plugin. The FB messenger live chat plugin has been updated to version 1.4.9. Make sure you update to this version as soon as possible to mitigate any exploitation attempts.

Further, a strong sanitizing and validating system can prevent your website from cases like XSS and CSRF etc.

A comprehensive Security Solution

Taking security for granted will cost you very dearly in these times. Having a continuous and comprehensive monitoring system for your website will go a long way in securing your website. Security solutions like Astra WordPress Security Suite, tailored for WordPress can be a saviour. Astra offers Firewall for your website, which puts a barrier against XSS, CSRF, Bad bots, SQLi and 100+ other possible attacks. Get an Astra demo now or drop us a message here, and we will be happy to help.

Was this post helpful?

Tags: ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany