CVE-2020-36838 HIGH

CVE-2020-36838: Facebook Chat Plugin <= 1.5 - Missing Capabilities Check

Vendor Facebook

Product Facebook Chat Plugin – Live Chat Plugin for WordPress

Weakness CWE-284

Published October 16, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The Facebook Chat Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_update_options function in versions up to, and including, 1.5. This flaw makes it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

Key dates

02Disclosure timeline

October 16, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-36838 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2020-36838

CWE CWE-284

CVSS 7.4 / HIGH

Affected versions