Facebook has fixed two critical vulnerabilities in its WordPress plugin which when exploited could have let attackers take full control over the site.
The security company Wordfence, has disclosed the bugs to the social network on December 22 last year and January 27 2021. Patches for the same were released on January 6 and February 7 2021, respectively.
The vulnerabilities impact the plugin formerly known as Official Facebook Pixel, that has been installed by around half a million sites globally. The software is designed to integrate Facebook’s Pixel conversion measurement tool with WordPress sites so it can monitor traffic and record specific user actions.
The first bug is a PHP object injection vulnerability that has a CVSS score of 9.
Wordfence threat analyst, Chloe Chamberland explained that the core of the PHP Object Injection vulnerability was within the run_action() function. This function was intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console. Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.
The bug could have been exploited to upload arbitrary files and achieve remote code execution on a vulnerable target.
The second bug is a cross-site request forgery that has a CVSS score of 8.8.
This bug occurred accidentally when developers updated the plugin to version 3.0, and relates to an AJAX function that was added to make the software’s integration into WordPress sites easier.
Chamberland explained that there was a permission check on this function, blocking users lower than administrators from being able to access it, however, there was no nonce protection. This meant that there was no verification that a request was coming from a legitimate authenticated administrator session.
This made it possible for attackers to craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.
The vulnerability when exploited could have been able to update the plugin’s settings, steal metric data and inject malicious backdoors into theme files or create new administrative user accounts to completely hijack a site.
All the users are highly recommended to update to the latest version of Facebook for WordPress (3.0.5).