Two vulnerabilities affecting the Facebook for WordPress plugin have been made public by the Wordfence Threat Intelligence team.
Formerly known as “Official Facebook Pixel,” this plugin has been installed by over 500,000 sites.
These two critical vulnerabilities have been patched, which means you need to update your plugins as soon as possible so they are no longer vulnerable.
First Vulnerability Discovered in December 2020
One of the exploits, first discovered in December 2020, allows an attacker to initiate a full site takeover and control it with malicious code.
This attack is known as an RCE attack, or remote code execution attack. Wordfence says the flaw in the plugin “made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.”
Second Vulnerability Discovered in January 2021
Yet another vulnerability was discovered on January 27 2021 by the Wordfence team. This ended up being a flaw that was introduced when the plugin was rebranded in version 3.0.0.
This flaw allowed attackers to inject malicious JavaScript code into the settings of that plugin. All an attacker would need to do is trick an administrator into clicking on a link they shouldn’t have clicked on in the first place.
Both of these vulnerabilities are considered by Wordfence at the highest level of severity. They highly recommend downloading software updates to repair your installations of the Facebook for WordPress plugin.
PHP Object Injection Vulnerability – CVSS Score of 9
The Common Vulnerability Scoring System (CVSS) score of nine places this plugin vulnerability in the severe and critical range, meaning you should update your version of the plugins immediately in order to avoid any attackers compromising your website.
Infosecurity Magazine reports that:
“Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.”
As such, the bug could have been exploited to upload arbitrary files and achieve remote code execution on a vulnerable target.
Second Vulnerability: Cross-Site Request Forgery – CVSS Score of 8.8
The CVSS score of 8.8 also places this vulnerability at a serious level, requiring you to download and install the latest updates as soon as possible.
Another very important point to mention here is that this second vulnerability can potentially result in a cross-site scripting issue.
Be sure to update your plugins to avoid having your website taken over.
ZDNet reported the following:
When the software was updated, an AJAX function was introduced to make plugin integration easier. However, a permissions check problem in the function opened up an avenue for attackers to craft requests that could be executed “if they could trick an administrator into performing an action while authenticated to the target site,” according to Wordfence.
“The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site,” the team says. “Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.”
Malicious JavaScript could, for example, be used to create backdoors in themes or create new admin accounts for hijacking entire websites.”
Facebook for WordPress: Don’t Forget to Update!
The vulnerabilities have both been patched with a recent upgrade of the plugin to 3.0.4.
It is strongly recommended that all webmasters update their Facebook for WordPress plugin to the latest version in order to avoid any outside attackers compromising the security of their website.
We strongly recommend that these steps be taken immediately.
Image Credits
Featured Image: monticello / Mar 2021
