Two vulnerabilities affecting the Facebook for WordPress plugin have been made public by the Wordfence Threat Intelligence team.
Formerly known as “Official Facebook Pixel,” this plugin has been installed by over 500,000 sites.
These two critical vulnerabilities have been patched, which means you need to update your plugins as soon as possible so they are no longer vulnerable.
First Vulnerability Discovered in December 2020
One of the exploits, first discovered in December 2020, allows an attacker to initiate a full site takeover and control it with malicious code.
This attack is known as an RCE attack, or remote code execution attack. Wordfence says the flaw in the plugin “made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.”
Second Vulnerability Discovered in January 2021
Yet another vulnerability was discovered on January 27 2021 by the Wordfence team. This ended up being a flaw that was introduced when the plugin was rebranded in version 3.0.0.
Both of these vulnerabilities are considered by Wordfence at the highest level of severity. They highly recommend downloading software updates to repair your installations of the Facebook for WordPress plugin.
PHP Object Injection Vulnerability – CVSS Score of 9
The Common Vulnerability Scoring System (CVSS) score of nine places this plugin vulnerability in the severe and critical range, meaning you should update your version of the plugins immediately in order to avoid any attackers compromising your website.
Infosecurity Magazine reports that:
As such, the bug could have been exploited to upload arbitrary files and achieve remote code execution on a vulnerable target.
Second Vulnerability: Cross-Site Request Forgery – CVSS Score of 8.8
The CVSS score of 8.8 also places this vulnerability at a serious level, requiring you to download and install the latest updates as soon as possible.
Another very important point to mention here is that this second vulnerability can potentially result in a cross-site scripting issue.
Be sure to update your plugins to avoid having your website taken over.
ZDNet reported the following:
Facebook for WordPress: Don’t Forget to Update!
The vulnerabilities have both been patched with a recent upgrade of the plugin to 3.0.4.
It is strongly recommended that all webmasters update their Facebook for WordPress plugin to the latest version in order to avoid any outside attackers compromising the security of their website.
We strongly recommend that these steps be taken immediately.
Featured Image: monticello / Mar 2021