Facebook has installed two critical vulnerabilities in its popular WordPress plugin that could be used to take over the full potential of the site, according to Wordfence.
The security company revealed yesterday that it showed the bugs to the social network on December 22 last year and January 27, 2021. Pieces for each were released on January 6 and February 7, 2021, respectively.
The vulnerabilities affected the formerly-known Facebook Pixel Official plug-in, which is said to have been installed on about half a million sites worldwide. The software is designed to integrate Facebook’s Pixel version measurement tool with WordPress sites so it can track traffic and record specific user activities.
The first bug is PHP material injection sensitivity with a CVSS score of 9.
“The core of PHP Injection vulnerability was within the run_action () function. This action was intended to decentralize user data from the POST event_data variable to send the data to the pixel console, ”explained Wordfence threat analyst Chloe Chamberland.
“Unfortunately, a user could pass this event_data. When a user’s input is placed in PHP, users can provide PHP products that encourage magic tricks and execute actions that can be used for malicious purposes. ”
Thus, we could have taken advantage of uploading configuration files and achieving remote code performance on a vulnerable target.
The second CVE was a cross-site application with a CVSS score of 8.8.
It was inadvertently introduced when developers updated the plugin to version 3.0, and it relates to the AJAX functionality added to make the integration of the software into WordPress sites more convenient. easy.
“This activity was subjected to a consent audit, preventing lower users from administrators from accessing it, however, there was no protection. This meant that there was no confirmation that a request was coming from a valid certified administrator session, ”Chamberland explained.
“This made it possible for attackers to execute a request if they could get an administrator to execute it while they are verified to the target site.”
The vulnerability could be used to update plug-in settings, steal metric data and import malicious backups into subject files or create new admin user accounts to host a site. completely gone, she said.
Users are asked to upgrade to the latest version of Facebook for WordPress (3.0.5).