Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Severe Flaws in Official ‘Facebook for WordPress’ Plugin

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

Formerly known as Official Facebook Pixel, the Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.

The bug carries a CVSS score of 9.0 and was reported to Facebook on December 22.   Wordfence said the critical severity bug could allow an unauthenticated attacker to access a site’s secret and exploit a deserialization weakness to achieve remote code execution.

Described as a “PHP object injection with POP chain,” the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script, and because a variable in a function meant to deserialize user data could be supplied by the user themselves.

“When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes,” the company said in an advisory.

They also note that, while a deserialization vulnerability could be relatively harmless on its own, the addition of a gadget, or magic method, to the mix would result in “significant damage” to a site. The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.

By abusing the vulnerability, an attacker could generate a PHP file in the home directory of a vulnerable website, then change the contents of that PHP file to whatever they wanted, achieving code execution.

After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin, and reported it on January 27. Patched in February, the issue was rooted in rewritten code that modified some of the plugin’s initial functionality related to saving the plugin’s settings.

“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account,” Wordfence explains.

The function lacked a nonce protection, meaning that it could not verify whether requests came from a legitimate authenticated administrator, thus allowing an attacker to “craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”

An attacker could abuse the action to update the plugin’s settings and steal metric data for a site, and even inject malicious JavaScript code into the setting values. The code would be executed in the admin’s browser when they access the settings page, and could allow for the injection of backdoors into theme files, or for the creation of new administrative accounts, leading to complete site takeover.

Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...