The popular WordPress plugin Facebook Widget (Widget for Facebook Page Feeds) was closed and made temporary unavailable in the WordPress Plugins Directory on July 25th, 2019 and was only just updated and reopened around 11am EST on July 30th with a new name of "Widget for Social Page Feeds". As one of the top plugins downloaded from WordPress.org with over 921,000 downloads as of this writing, the temporary closing of the Facebook Widget plugin caught the attention of WordPress plugin vulnerability monitoring service, Plugin Vulnerabilities, who quickly notified that the seemingly discontinued plugin was also vulnerable to Cross Site Scripting (XSS) attacks.
What is Cross Site Scripting?
XSS attacks are a type of code injection where malicious code is injected into a site, usually in the form of a script running directly in the browser, to send malicious code to a different end user or site. An increasingly common type of attack, XSS relies on flaws in either a site's code, or a browser's execution of that code, to allow these attacks to succeed. Generally speaking, a XSS vulnerability could exist in any web application that accepts input from a user and uses it to generate output content without validating or encoding it.
What is the vulnerability?
In the case of the Facebook Widget plugin, the plugin fails to securely handle shortcode attributes, and thus when the plugin's fb_widget shortcode is utilized to execute the plugin, it does so in an insecure manner. Plugin Vulnerabilities provided a proof of concept example of this vulnerability in which the plugin's shortcode could be easily used to compromise a visitor's private cookie information.
What should you do?
Update the plugin from your WordPress Dashboard's Plugins or Updates pages. If for some reason you cannot update the plugin there, you may download a new copy of the plugin to manually replace your plugin files at the Facebook Widget (Widget for Facebook Page Feeds) page at WordPress.org. For more details, visit the WordPress Managing Plugins page at https://wordpress.org/support/article/managing-plugins/
A Quick Reminder
This is probably a good time to remind you that you should always keep your WordPress core installation, themes, and plugins up-to-date at all times, and routinely check on your themes and plugins to make sure they’re still actively being developed. Just like with the Total Donations plugin, WordPress themes and plugins frequently get abandoned or replaced by new alternatives and as such, webmasters need to be vigilant to sure their sites don’t fall prey to similar issues.
More information on keeping WordPress and it’s plugins updated may be found in the following articles, provided for your convenience:
Final Reminder
Just as a final reminder, anytime you find that you’re using an abandoned theme or plugin, it is always recommended to discontinue using it immediately, unless you are tech-savvy enough to take over it’s development yourself. Yes, replacing themes and plugins is a lot of work, with no immediate return on your investment. However, preventing loss of business and expenditure of man-hours to troubleshoot and recover your site or lost revenue in the event of a breach is well worth it!
And always remember: Delete, don't just deactivate!
Deactivating a plugin does not always make it invulnerable to compromise.