AJAX vulnerabilities to Stored Cross-Site Scripting (XSS) attacks

This has not been fixed, my client’s website was being redirected just today

Bit poor they’ve not made this clear.

It took me 3 hours this morning to isolate this plugin being the source of the malicious redirects.

Updating the plugin is not enough to prevent the redirect. You also need to clear the malicious JS code from the plugin’s settings (or directly from the DB in the wp_options table, search for cff_style_settings

Hey @mfarmerhi, @errazib, @got1878,

Thank you for reaching out to us for assistance. Also thank you @cezard for bringing up the rest of the necessary information. We will add a sticky post about this soon.

For anyone with the issue, please ensure you update the plugin to the latest version.

Free version 4.0.1
Pro version 4.0.6

Then, go to Facebook Feed > Settings > Feeds. Here, you will want to empty the Custom CSS and Custom JS boxes, then Save Changes. You should no longer have any issues on the site.

If you do run into further issues, let us know as we take security risks in our plugin very seriously and work with auditors to resolve any vulnerabilities as soon as they are identified. We apologize for the inconvenience thus far.

Best regards.

In addition, it may be worth keeping in mind that you should clear any website caching or optimization (such as minification), to ensure you are serving the latest version of our plugin files.

Just an update on this; if you update the plugin to the latest version (4.0.2) then it will automatically prevent any JavaScript added into the Custom JavaScript field from running. You can then review the code and choose whether or not to copy it over to a recommended plugin to continue using it.

Deactivating and deleting the plugin also works.

“The wp_ajax_cff_save_settings AJAX action, which is responsible for updating the plugin’s inner settings, did not perform any privilege or nonce checks before doing so. This made it possible for any logged-in users to call this action and update any of the plugin’s settings.”

This is ridiculous flailing by Smash Balloon because 2 months ago CVE-2021-24918 came out which was the exact same issue. At that point the plugin should have been audited for other XSS injections to the AJAX encpoint.

Not getting around to that is understandable from a free plugin with volunteer work, but from a commercial company taking money for the plugin that is negligent behaviour. Shame!

“Deactivating and deleting the plugin also works.”

+1

Unfortunately that was my decision too. When other news sources announce such vulnerabilities and the plugin author hasn’t yet addressed it… the cat’s out of the bag. No excuse in my opinion.

Hey guys,

We really apologize for any problems caused by this issue. We take security reports very seriously and to clarify, we pushed out an update to fix this issue (v4.0.1) on October 21st, within 72 hours of receiving details of the report. The 4.0.2 update we pushed out today just completely removed the Custom JavaScript field as an additional precaution.

Nonetheless, I really apologize for the issue here and any inconvenience caused.

John

I’ve also deleted the plugin.

I had commercial versions of Facebook, Twitter and Instagram.

Learning of the exploit from a third party, and Smash Balloon’s response has made me believe you’re negligent towards security.

Shame, as the plugin was pretty good/I reviewed accordingly.

Using version 4.1.1 and the issue is still there …
That’s a major flaw and security risk. Unbelievable :-O

@webber2012 – this issue was verified as fixed in v4.0.1 on October 21st. If you’re seeing an issue in v4.1.1 then would you be able to provide more details? You can use the private form here if you’d prefer.

Many thanks,

John