Two Critical Vulnerabilities Patched in Facebook for WordPress Plugin
Both Vulnerabilities can be Used for Complete Site Takeover and Malicious Backdoors.
This week, the Wordfence Threat Intelligence team revealed two vulnerabilities in the Facebook for WordPress plugin, formerly known as Official Facebook Pixel.
Facebook for WordPress, installed in over 500,000 websites, is a plugin designed to create a seamless integration between Facebook Pixel and a WordPress site. This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your page.
This way vendors can better understand their customer’s journey from the moment they show interest in their business to the moment they complete a conversion.
Vulnerabilities found in Facebook for WordPress Plugin granted hackers the ability to gain remote code execution due to a PHP Object Injection vulnerability and inject malicious JavaScript due to a CSRF vulnerability. The exploits could allow a malicious attacker to install backdoors, create administrator-level accounts and stage a complete site takeover.
The first critical vulnerability, which has been issued a CVSS severity score of 9, was disclosed by cybersecurity researchers on December 22, 2020. Described as a PHP Object injection and found in the run_action() function of the software, this flaw made it possible for hackers to use the compromised plugin to upload a file and proceed to a Remote Code Execution (RCE).
“This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.”
As stated by Wordfence, “This meant that an attacker could generate a PHP file new.php in a vulnerable site’s home directory… The PHP file contents could be changed to anything… which would allow an attacker to achieve remote code execution.”
On January 27, 2021, a second vulnerability related to Cross-Site Request Forgery (CSRF) was discovered.
If an attacker could successfully trick an administrator into clicking a link, this flaw made it possible for them to inject malicious JavaScript into the plugin’s settings. The attacker could gain access to private metric data or stage a complete site takeover.
The team added, “worse yet since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.”
All users are advised to update their plugin to the latest version (currently Version 3.0.5) as soon as possible. Facebook for WordPress Plugin version 3.0.4 is fully patched but version 3.0.5 is the most up-to-date version of the plugin.
Wordfence Premium users received a firewall rule to protect exploit attempts against the first vulnerability on December 22, 2020, and received a firewall rule to protect exploit attempts against the second vulnerability on January 27, 2021.
Sites still using the free version of Wordfence received the same protection for the first vulnerability on January 21, 2020, and on February 26, 2021, for the second vulnerability.