The Official Facebook for WordPress plugin (aka Facebook Pixel) which is designed to give Facebook another way to track our activities online, was recently fully patched to fix two serious vulnerabilities including a PHP Object Injection and a Cross-Site Request Forgery (aka CSRF to Stored XSS). Both flaws were introduced with the release of version 3.0 of the Facebook plugin.
The first flaw, the PHP Object Injection, made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness. The second, Cross-Site Request Forgery, flaw made it possible for attackers to inject malicious JavaScript into the plugin’s settings, if an attacker could successfully trick an administrator into performing an action such as clicking a link.
After multiple updates, a fully patched version of the “Official Facebook for WordPress” plugin, ver. 3.0.5, was released on March 10th to fix these vulnerabilities and can be downloaded from WordPress.org or you may update directly from your site’s Plugins > Installed Plugins page.
For more on this vulnerability including detailed examples, please visit:
Two Vulnerabilities Patched in Facebook for WordPress Plugin (c/o Wordfence Blog)
If you’re on one of our WordPress Care Plans, we’ve already taken action to protect and patch your site(s) against this flaw. No ESC! Technologies Group clients have been affected by this vulnerability.