CVE-2020-36838

HIGH

Facebook Chat Plugin <1.5 - Auth Bypass

Title source: llm
STIX 2.1

Description

The Facebook Chat Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_update_options function in versions up to, and including, 1.5. This flaw makes it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

Scores

CVSS v3 7.4
EPSS 0.0034
EPSS Percentile 25.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (1)
facebook/Facebook Chat Plugin – Live Chat Plugin for WordPress < 1.6
Published Oct 16, 2024
Tracked Since Feb 18, 2026