Two vulnerabilities were patched in the Facebook for WordPress Plugin. The exploits could allow a malicious attacker to install backdoors, create administrator-level accounts, and stage a complete site takeover.
Facebook for WordPress Exploit
The Facebook for WordPress plugin, installed on over 500,000 websites, is a visitor tracking tool for advertisers using Facebook ads. It allows advertisers to track the visitor journey and optimize their ad campaigns.
One of the exploits was discovered in December 2020. The other flaw was introduced in January 2021 as part of a rebranding and code update to the plugin.
PHP Object Injection Vulnerability
This type of exploit depends on a flaw that inadequately sanitizes uploads, allowing an attacker to perform a variety of attacks such as code injection. In this specific attack, a hacker could use the compromised plugin to upload a file and proceed to remote code execution. The particulars of this vulnerability could also allow the attacker to take advantage of other plugins containing the same vulnerability.
According to Wordfence:
"This meant that an attacker could generate a PHP file new.php in a vulnerable site’s home directory… The PHP file contents could be changed to anything… which would allow an attacker to achieve remote code execution.
Note that the presence of a full POP chain also meant that any other plugin with an object injection vulnerability, including those that did not require knowledge of the site’s salts and keys, could potentially be used to achieve remote code execution as well if it was installed on a site with the Facebook for WordPress plugin."
Cross-Site Request Forgery
A cross-site request forgery exploit requires a victim with administrator-level credentials to perform an action (like clicking on a link), leading to an attack that takes advantage of the administrator’s high-level credentials. An attacker could gain access to private metric data or stage a complete site takeover.
Wordfence describes it like this:
"The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site.
Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.
These values would then be reflected on the settings page, causing the code to execute in a site administrator’s browser while accessing the settings page.
Ultimately, this code could be used to inject malicious backdoors into theme files or create new administrative user accounts that could be used for complete site takeover."
Update Recommended
It is recommended that all users immediately update their plugin to the latest version (currently Version 3.0.5). Facebook for WordPress version 3.0.4 is fully patched, but version 3.0.5 is the most up-to-date version of the plugin.
Citations
- Two Vulnerabilities Patched in Facebook for WordPress Plugin
- Facebook for WordPress Changelog
