Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Severe Flaws in Official ‘Facebook for WordPress’ Plugin

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

Formerly known as Official Facebook Pixel, the Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.

The bug carries a CVSS score of 9.0 and was reported to Facebook on December 22.   Wordfence said the critical severity bug could allow an unauthenticated attacker to access a site’s secret and exploit a deserialization weakness to achieve remote code execution.

Described as a “PHP object injection with POP chain,” the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script, and because a variable in a function meant to deserialize user data could be supplied by the user themselves.

“When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes,” the company said in an advisory.

They also note that, while a deserialization vulnerability could be relatively harmless on its own, the addition of a gadget, or magic method, to the mix would result in “significant damage” to a site. The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.

By abusing the vulnerability, an attacker could generate a PHP file in the home directory of a vulnerable website, then change the contents of that PHP file to whatever they wanted, achieving code execution.

After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin, and reported it on January 27. Patched in February, the issue was rooted in rewritten code that modified some of the plugin’s initial functionality related to saving the plugin’s settings.

“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account,” Wordfence explains.

The function lacked a nonce protection, meaning that it could not verify whether requests came from a legitimate authenticated administrator, thus allowing an attacker to “craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”

An attacker could abuse the action to update the plugin’s settings and steal metric data for a site, and even inject malicious JavaScript code into the setting values. The code would be executed in the admin’s browser when they access the settings page, and could allow for the injection of backdoors into theme files, or for the creation of new administrative accounts, leading to complete site takeover.

Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.