Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Severe Flaws in Official ‘Facebook for WordPress’ Plugin

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

Formerly known as Official Facebook Pixel, the Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.

The bug carries a CVSS score of 9.0 and was reported to Facebook on December 22.   Wordfence said the critical severity bug could allow an unauthenticated attacker to access a site’s secret and exploit a deserialization weakness to achieve remote code execution.

Described as a “PHP object injection with POP chain,” the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script, and because a variable in a function meant to deserialize user data could be supplied by the user themselves.

“When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes,” the company said in an advisory.

They also note that, while a deserialization vulnerability could be relatively harmless on its own, the addition of a gadget, or magic method, to the mix would result in “significant damage” to a site. The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.

By abusing the vulnerability, an attacker could generate a PHP file in the home directory of a vulnerable website, then change the contents of that PHP file to whatever they wanted, achieving code execution.

After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin, and reported it on January 27. Patched in February, the issue was rooted in rewritten code that modified some of the plugin’s initial functionality related to saving the plugin’s settings.

Advertisement. Scroll to continue reading.

“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account,” Wordfence explains.

The function lacked a nonce protection, meaning that it could not verify whether requests came from a legitimate authenticated administrator, thus allowing an attacker to “craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”

An attacker could abuse the action to update the plugin’s settings and steal metric data for a site, and even inject malicious JavaScript code into the setting values. The code would be executed in the admin’s browser when they access the settings page, and could allow for the injection of backdoors into theme files, or for the creation of new administrative accounts, leading to complete site takeover.

Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights