CVE-2020-36838

Oct. 16, 2024, 4:38 p.m.

7.4
High

Description

The Facebook Chat Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_update_options function in versions up to, and including, 1.5. This flaw makes it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

Product(s) Impacted

Product Versions
Facebook Chat Plugin for WordPress
  • up to 1.5

Weaknesses

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-created-vector-for-social-engineering-attacks/
https://www.wordfence.com/threat-intel/vulnerabilities/id/36ae4183-5fa7-484c-b858-5df10ae3d3f2?source=cve

Tags

CWE-284
security@wordfence.com
2024-10-16
CVE-2020-36838

CVSS Score

7.4 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Date

  • Published: Oct. 16, 2024, 7:15 a.m.
  • Last Modified: Oct. 16, 2024, 4:38 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.