WordPress admins using the Facebook for WordPress add-on should update their sites immediately. Researchers have found two serious security vulnerabilities in Facebook for WordPress plugin that risk thousands of websites. The latest plugin version, has addressed both the bugs.
Vulnerabilities In Facebook for WordPress Plugin
Team Wordfence has recently shared details about two separate vulnerabilities in the Facebook for WordPress plugin. The plugin currently boasts over 500,000 active installations. Hence, these vulnerabilities potentially risked a huge number of websites.
Briefly, one of these is a critical security bug that has received a CVSS score of 9.0. The researchers identified it as a PHP object injection flaw in the run_action() function. An attacker could easily exploit this flaw to achieve remote code execution by creating custom scripts to generate a valid nonce. Explaining the problem with this script, Wordfence stated,
This function was intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console. Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.
Whereas, the second vulnerability appeared in the later version of the plugin that Wordfence identified as a cross-site request forgery (CSRF) flaw. It was a high-severity flaw that received a CVSS score of 8.8.
Details of both the vulnerabilities are available in the researchers’ post.
Bugs Fixed
Wordfence first discovered the PHP object injection flaw in the plugin in December 2020. Following their report, the developers patched the vulnerability with plugin version 3.0.0.
However, this patched version developed the CSRF vulnerability that the researchers reported to the developers.
Eventually, another patched version of the plugin, v.3.0.3, arrived with the second fix.
Currently, the latest plugin version is 3.0.5 including both fixes. Hence, all users running this plugin should ensure updating to this version.