Two serious vulnerabilities have just been fixed in the Facebook for WordPress plug-in. Disclosed by the Wordfence Threat Intelligence team this week, these vulnerabilities impact Facebook for WordPress, formerly known as the Official Facebook Pixel. The plug-in, used to capture users’ actions when they visit a page and to monitor site traffic, has been installed on more than 500,000 websites.
On December 22, cybersecurity researchers privately disclosed a critical vulnerability to the vendor that received a CVSS severity score of 9. The vulnerability, described as a PHP object injection, was discovered in the software’s run_action() function. If a valid name was generated – for example by using a custom script – an attacker could provide the plug-in with PHP objects for malicious purposes and go so far as to upload files to a vulnerable website and perform a remote code execution (RCE).
“This flaw allowed unauthenticated attackers with access to a site’s salts and secret keys to remotely execute code through a deserialization weakness,” the team explains.
Table of Contents
No permission
The second vulnerability, deemed of high importance, was discovered on January 27. The “cross-site request forgery” security flaw, which leads to a cross-site scripting problem, was accidentally introduced when the plug-in was renamed.
When the software was updated, an AJAX feature was introduced to facilitate the integration of the plug-in. However, a permission-checking issue in the function opened the door for attackers to craft requests that could be executed “if they could trick an administrator into performing an action while authenticated to the target site,” according to Wordfence.
“The action could be used by an attacker to update the plug-in settings to point to their own Facebook Pixel console and steal a site’s metrics,” the team says. “Even worse, because there was no sanitization on the stored settings, an attacker could inject malicious JavaScript into the setting values.”
Vulnerabilities fixed
Malicious JavaScript could, for example, be used to create backdoors in themes or create new administrator accounts to hijack entire websites.
The reports were accepted by Facebook’s security team and a patch for the first vulnerability was released on January 6, followed by a second patch on February 12. However, the patch for the second vulnerability required adjustments and the full patch was not released until February 17.
Both vulnerabilities have been updated to version 3.0.4, so webmasters are recommended to update to the latest available version of the plug-in, which is currently 3.0.5.
