WordPress is once again in the headlines of Tech News, as two zero-day exploits have been discovered, both related to how WordPress interacts with Facebook. The first one is Facebook for WooCommerce, is a WordPress plugin which promises to provide an interface between WooCommerce and Facebook. The second plugin is Messenger Customer Chat, as the word implies, it provides an interface for a WordPress website to have access to Facebook Messenger within the site itself. As a matter of policy for many years, WordPress.org bans users for revealing a security flaw in its official forums and encourages people to just contact individual plugin developers to request for a fix.
A vulnerability disclosure company named White Fir Design LLC does not agree with such a policy, breaking the WordPress forum’s rule about flaw disclosure. It went to a point that WordPress forum administrators permanently banned White Fir Design’s forum accounts, which resulted in the latter retaliating with disclosures of the flaws with associated detailed proof-of-concept (POC) codes. The POCs are posted by White Fir Design in their own website, which was quickly picked-up by real black hat hackers who are looking for ways to attack WordPress websites.
The revelation of POCs for the flaws of the two WordPress plugins mentioned above was part of the plan to get back at WordPress forum moderators for banning White Fir Design’s forum accounts. The silver lining is the two zero-day exploits disclosures are not usable on their own, as they are not remote code execution. It requires a reasonable degree of social engineering to pull off the attack, given it needs the user to open a malicious link. White Fir Design LLC is also breaking the common courtesy of “responsible disclosure,” which expects white hat hackers of directly disclosing the bugs to the developers, and giving those developers 90-days to issue a patch which fixes the issues presented.
White Fir Design has published all their responses about the disclosures in their pluginvulnerabilities website. They are pushing to continue with their disclosure habits as they believe that is selfless service to the public. They believe that other groups are timid with regards to doing the responsible thing of exposing the security bugs in WordPress, hence they have to take up the slack and perform what they believe is the correct thing to do.
“An unfortunate reality when it comes to the security of WordPress websites is that the people behind WordPress have for years refused to take actions that would largely resolve major security with WordPress plugins and that has lead to far too many websites being unnecessarily hacked. We have tried for years without success to work with them to fix those issues,” explained White Fir Design in their official blog site.
The company will continue providing the public with “the best protection against the threats” with their disclosures. As the WordPress user base continues to grow, the chances of exploits are quite high compared to other software that does not feature a plugin system.