Facebook has fixed two critical vulnerabilities in its popular WordPress plugin which could have been exploited to enable full site takeover, according to Wordfence.
The security company revealed yesterday that it disclosed the bugs to the social network on December 22 last year and January 27 2021. Patches for each were released on January 6 and February 7 2021, respectively.
The vulnerabilities affected the plugin formerly known as Official Facebook Pixel, which is said to be installed on around half a million sites globally. The software is designed to integrate Facebook’s Pixel conversion measurement tool with WordPress sites so it can monitor traffic and record specific user actions.
The first bug is a PHP object injection vulnerability with a CVSS score of 9.
“The core of the PHP Object Injection vulnerability was within the run_action() function. This function was intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console,” explained Wordfence threat analyst, Chloe Chamberland.
“Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.”
As such, the bug could have been exploited to upload arbitrary files and achieve remote code execution on a vulnerable target.
The second CVE was a cross-site request forgery with a CVSS score of 8.8.
It was introduced by accident when developers updated the plugin to version 3.0, and relates to an AJAX function that was added to make the software’s integration into WordPress sites easier.
“There was a permission check on this function, blocking users lower than administrators from being able to access it, however, there was no nonce protection. This meant that there was no verification that a request was coming from a legitimate authenticated administrator session,” explained Chamberland.
“This made it possible for attackers to craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”
The vulnerability could have been exploited to update the plugin’s settings, steal metric data and inject malicious backdoors into theme files or create new administrative user accounts to completely hijack a site, she added.
Users are urged to upgrade to the latest version of Facebook for WordPress (3.0.5).