CVE-2020-36838

The Facebook Chat Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_update_options function in versions up to, and including, 1.5. This flaw makes it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-created-vector-for-social-engineering-attacks/
https://www.wordfence.com/threat-intel/vulnerabilities/id/36ae4183-5fa7-484c-b858-5df10ae3d3f2?source=cve

Configurations

No configuration.

History

16 Oct 2024, 16:38

Type	Values Removed	Values Added
Summary		(es) El complemento Facebook Chat para WordPress es vulnerable a la omisión de la autorización debido a una falta de verificación de capacidad en la función wp_ajax_update_options en versiones hasta la 1.5 incluida. Esta falla permite que atacantes autenticados de bajo nivel conecten su propia cuenta de Facebook Messenger a cualquier sitio que ejecute el complemento vulnerable y participen en chats con los visitantes del sitio en los sitios afectados.

16 Oct 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-16 07:15

Updated : 2024-10-16 16:38

NVD link : CVE-2020-36838

Mitre link : CVE-2020-36838

CVE.ORG link : CVE-2020-36838

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

7.4 /10