A critical flaw with a CVSS score of 9.0 has been identified in the official Facebook for WordPress plugin, which is used on more than 500,000 websites to record the actions users take when interacting with webpages.
The plugin, also known as Facebook Pixel, captures data such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events, by installing a Facebook Pixel on web pages.
The vulnerability could be exploited by a threat actor to upload arbitrary files to a site with the plugin installed, which could lead to remote code execution. The flaw is a PHP object injection with POP chain vulnerability. A nonce that the function within the plugin requires can be generated using a custom script, and the variable in that function used to deserialize user data can be provided by the user themselves. In order to exploit the flaw, an attacker would need access to the site’s secret salts and keys in order to achieve remote code execution.
The vulnerability was identified by the Wordfence threat intelligence team and was reported to Facebook on December 22, 2020. According to Wordfence, “When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.”
The Wordfence researchers also disclosed a second critical vulnerability to Facebook on January 27, 2020. The Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability allows threat actors to inject malicious JavaScript into the settings of the plugin which could trick an administrator into performing an action such as clicking a malicious link.
“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account,” explained Wordfence. The flaw is due to the function lacking a nonce protection to ensure a request came from a legitimate authenticated administrator. This would allow a threat actor to create a request that would be executed if an administrator is tricked into taking a particular action, such as clicking a hyperlink while authenticated to the site.
Wordfence has recently disclosed details of the flaws now that Facebook has released patches for both vulnerabilities. The first flaw was patched by Facebook on January 6, 2021 and a patch was released for the second flaw on February 17, 2021. Users of the premium version of the plugin received a firewall rule on December 22, 2020 and January 27, 2021 to prevent exploitation of the vulnerabilities.
Now that details have been released it is important to ensure that the plugin is updated to a non-vulnerable version. Both patches are included in Facebook for WordPress 3.0.5 and later.