A new high severity WordPress vulnerability has been found in a Facebook chat plugin, which has been installed on over 80,000 WordPress websites. If exploited, attackers would be able to obtain “authorized” access to the chat plugin and be able to communicate with site visitors to carry out social engineering attacks in an effort to retrieve sensitive information.
What makes this particular vulnerability so severe is the attacker’s ability to assume the role of the victim. Through social engineering and creating a “legitimate” story with the brand they assume, the attacker can create all kinds of themes to exploit a user by asking for personal information. As long as an attacker has a method to spin a story, social engineering attacks are always a threat. As such, we will continue to see attempts to directly attack the human element that cause damage for the brand, not just the victim.
When vulnerabilities are publicly announced, it is a race between administrators and attackers. This exploitation stresses the need to monitor vulnerabilities in relation to one’s tech stack and applications. If you don’t know it’s vulnerable, you can’t patch it. Potential targets should utilize a Web Application Firewall to help prevent exploits while also staying aware of vulnerabilities when they are released in order to proactively protect themselves.