Severe vulnerabilities patched in Facebook for WordPress Plugin

The worst bug leads to remote code execution, if exploited.

Two severe vulnerabilities have been patched in the Facebook for WordPress Plugin.

Disclosed by the Wordfence Threat Intelligence team this week, the bugs impact Facebook for WordPress, formerly known as Official Facebook Pixel. 

The plugin, used to capture user actions when they visit a page and to monitor site traffic, has been installed on over 500,000 websites. 

On December 22, the cybersecurity researchers privately disclosed a critical vulnerability to the vendor which has been issued a CVSS severity score of 9. The vulnerability, described as a PHP Object injection, was found in the run_action() function of the software.

If a valid nonce was generated -- such as through the use of a custom script -- an attacker could supply the plugin with PHP objects for malicious purposes and go so far as to upload files to a vulnerable website and achieve Remote Code Execution (RCE).

"This flaw made it possible for unauthenticated attackers with access to a site's secret salts and keys to achieve remote code execution through a deserialization weakness," the team says. 

The second vulnerability, deemed of high importance, was discovered on January 27. The cross-site request forgery security flaw, which leads to a cross-site scripting issue, was introduced accidentally when the plugin was rebranded. 

When the software was updated, an AJAX function was introduced to make plugin integration easier. However, a permissions check problem in the function opened up an avenue for attackers to craft requests that could be executed "if they could trick an administrator into performing an action while authenticated to the target site," according to Wordfence.

"The action could be used by an attacker to update the plugin's settings to point to their own Facebook Pixel console and steal metric data for a site," the team says. "Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values."

Malicious JavaScript could, for example, be used to create backdoors in themes or create new admin accounts for hijacking entire websites. 

The reports were accepted by Facebook's security team and a patch for the first vulnerability was released on January 6, followed by a second fix on February 12. However, the patch for the second bug required tweaking and a full fix was not published until February 17.

Both vulnerabilities have been updated in version 3.0.4, and so it is recommended that webmasters update to the latest version available of the plugin, which is currently 3.0.5.

ZDNet has reached out to Facebook for comment and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0