The Wordfence team has discovered two critical vulnerabilities in Facebook for the WordPress plugin, which, if exploited, can lead an attacker to inject malicious code into the site. As said, exploiting these vulnerabilities requires fair access and can eventually lead to site takeover. The authors of the plug-in have released an updated version to patch them.
WordPress Plug-in Vulnerability
The Threat Intelligence Team from Wordfence has discovered two vulnerabilities in a WordPress plug-in, which could affect over half a million sites now. The concerned plugin is Facebook for WordPress, made by Facebook.
This plug-in is a conversion measurement tool, where if installed, it will be connecting the Facebook Pixel to the WordPress site and records the visitor engagement metrics. This can help marketers know how successful their campaign is and act accordingly later on.
And as the Wordfence team reported, an initial PHP Object Injection vulnerability was found and reported to Facebook in December last year, which could have unauthenticated users with access to a site’s secret salts and keys to perform an RCE attack. It’s rated 9.0 on the vulnerability severity scale and now has a patch.
The Wordfence team has also found another vulnerability in the same plug-in, which is reported in January this year. The Cross-Site Request Forgery vulnerability will allow an attacker to inject a JavaScript code into the site’s settings by tricking the admin into clicking on a link or a similar action.
Combined exploitation of these can also let the attacker take advantage of other vulnerabilities available on co-existing plug-ins in the same site. The second vulnerability is rated 8.8 on a severity scale and receives a patch.
Facebook has released version 3.0.5 of the Facebook for WordPress plugin, which now contains patches for both the vulnerabilities mentioned above. Thus, users are advised to update their plugins immediately.