The company also presented a proof-of-concept code (PoC), which reveals how hackers can exploit these vulnerabilities to attack sites.
The two affected plugins are "Messenger Costumer Chat ”, which displays a custom chat window Messenger on WordPress and the "Facebook for WooCommerce ”, which allows WordPress site owners to upload WooCommerce-based stores to their Facebook Pages.
In mid-April, WordPress decided to release the Facebook for WooCommerce plugin as part of the official plug-in for the WooCommerce online store. Since then, the plugin has garnered an overall 1,5 star rating, with the overwhelming majority of users complaining about errors and incomplete updates.
However, the security of all users who have installed these extensions is now at risk due to a dispute between a Denver-based company called White Fir Design LLC (acts as Plugin Vulnerabilities) and WordPress.
The Plugin Vulnerabilities team has decided that it will not follow the policy change in the WordPress.org forum, which forbids users from revealing security bugs through the forums and asked security researchers to send them electronically to the WordPress team to communicate with them those who used the plugins.
The Plugin Vulnerabilities team, however, continued to reveal security flaws in the WordPress forums and as a result its accounts in the forums were blocked.
The game was staggered over time, and last spring the group began publishing blog posts on its website with details and PoC codes about the vulnerabilities it discovered in WordPress plugins.
The hackers of course did not miss the opportunity and using the information posted by Plugin Vulnerabilities they started creating malicious campaigns, some of which managed to influence large sites.
The two flaws detected in Facebook plugins allow certified users to modify WordPress site options. Vulnerabilities are not as dangerous as those revealed earlier this year, but they could allow an attacker to take control of a site.