Wordfence announced that its Threat Intelligence team disclosed a vulnerability in a popular WordPress plugin called Facebook for WordPress, formerly known as Official Facebook Pixel. The plugin is installed on more than 500,000 sites.
Installed on over 500,000 sites
The flaw allows unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness. The team found another separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0, which makes it possible for attackers to inject malicious JavaScript into the plugin’s settings if an attacker can trick an administrator into clicking a link.
Disclosure Timeline [PHP Object Injection]
December 22, 2020 – Conclusion of the plugin analysis that led to the discovery of the PHP Object Injection vulnerability in Facebook for WordPress. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We initiate contact with the Facebook Pixel security team. We receive automated responses confirming receipt of our report.
December 25, 2020 – We receive a response requesting additional information.
December 28, 2020 – We send additional requested details.
January 4, 2021 – We receive confirmation that the plugin developers were able to duplicate our report and have begun working on a fix.
January 6, 2021 – A patched version of the plugin is released as version 3.0.0. We verify that the vulnerability has been patched.
January 21, 2021 – Free Wordfence users receive firewall rule.
Disclosure Timeline [CSRF to Stored XSS]
January 27, 2021 – Conclusion of the plugin analysis that led to the discovery of the CSRF to Stored XSS vulnerability in Facebook for WordPress. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We initiate contact with the Facebook Pixel security team. We receive automated responses confirming receipt of our report.
February 1, 2021 – We receive a response requesting additional information. We send additional details the same day.
February 5, 2021 – We receive confirmation that the plugin developers were able to duplicate our report and have begun working on a fix.
February 12, 2021 – A patched version of the plugin is released as version 3.0.3.
February 15, 2021 –We follow up to inform the plugin developers of missing sanitization on the stored settings leading to an insufficient patch.
February 17, 2021 – An additional and fully sufficient patch is released.
February 26, 2021 – Free Wordfence users receive firewall rule.
Wordfence said,
“In today’s post, we detailed two flaws in the Facebook for WordPress plugin that granted attackers the ability to achieve remote code execution due to a PHP Object Injection vulnerability and inject malicious JavaScript due to a CSRF vulnerability, both of which can be used for complete site takeover. The flaws are both fully patched in version 3.0.4. We recommend that users immediately update to the latest version available, which is version 3.0.5 at the time of this publication.
Wordfence Premium users received firewall rules protecting against the first vulnerability on December 22, 2020 and the second vulnerability on January 27, 2021, while those still using the free version of Wordfence received the same protection for the first vulnerability on January 21, 2020 and on February 26, 2021 for the second vulnerability.”