Saturday, May 28, 2022
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory
  • Login
  • Register
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • How-Tos
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • Video
No Result
View All Result
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • How-Tos
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • Video
No Result
View All Result
Cloud7 News
No Result
View All Result

Home > Cybersecurity > Two vulnerabilities patched in Facebook’s WordPress plugin

Two vulnerabilities patched in Facebook’s WordPress plugin

WordFence announced that the vulnerabilities they found in the Facebook for WordPress plugin are now patched.

Erdem Yasar by Erdem Yasar
March 27, 2021
in Cybersecurity
3 min read
0 0
0
Two vulnerabilities patched in Facebook's WordPress plugin
0
SHARES
6
VIEWS
Share on FacebookShare on TwitterShare on EmailFollow on Google News

Wordfence announced that its Threat Intelligence team disclosed a vulnerability in a popular WordPress plugin called Facebook for WordPress, formerly known as Official Facebook Pixel. The plugin is installed on more than 500,000 sites.

Installed on over 500,000 sites

The flaw allows unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness. The team found another separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0, which makes it possible for attackers to inject malicious JavaScript into the plugin’s settings if an attacker can trick an administrator into clicking a link.

Disclosure Timeline [PHP Object Injection]

December 22, 2020 – Conclusion of the plugin analysis that led to the discovery of the PHP Object Injection vulnerability in Facebook for WordPress. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We initiate contact with the Facebook Pixel security team. We receive automated responses confirming receipt of our report.

 December 25, 2020 – We receive a response requesting additional information.

 December 28, 2020 – We send additional requested details.

 January 4, 2021 – We receive confirmation that the plugin developers were able to duplicate our report and have begun working on a fix.

 January 6, 2021 – A patched version of the plugin is released as version 3.0.0. We verify that the vulnerability has been patched.

 January 21, 2021 – Free Wordfence users receive firewall rule.

Disclosure Timeline [CSRF to Stored XSS]

January 27, 2021 – Conclusion of the plugin analysis that led to the discovery of the CSRF to Stored XSS vulnerability in Facebook for WordPress. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We initiate contact with the Facebook Pixel security team. We receive automated responses confirming receipt of our report.

 February 1, 2021 – We receive a response requesting additional information. We send additional details the same day.

 February 5, 2021 – We receive confirmation that the plugin developers were able to duplicate our report and have begun working on a fix.

 February 12, 2021 – A patched version of the plugin is released as version 3.0.3.

 February 15, 2021 –We follow up to inform the plugin developers of missing sanitization on the stored settings leading to an insufficient patch.

 February 17, 2021 – An additional and fully sufficient patch is released.

 February 26, 2021 – Free Wordfence users receive firewall rule.

Wordfence said,

“In today’s post, we detailed two flaws in the Facebook for WordPress plugin that granted attackers the ability to achieve remote code execution due to a PHP Object Injection vulnerability and inject malicious JavaScript due to a CSRF vulnerability, both of which can be used for complete site takeover. The flaws are both fully patched in version 3.0.4. We recommend that users immediately update to the latest version available, which is version 3.0.5 at the time of this publication.

Wordfence Premium users received firewall rules protecting against the first vulnerability on December 22, 2020 and the second vulnerability on January 27, 2021, while those still using the free version of Wordfence received the same protection for the first vulnerability on January 21, 2020 and on February 26, 2021 for the second vulnerability.”

See more Cyber Security News


Tags: WordfenceWordPress
ShareTweetSendShare
Get free daily newsletters from Cloud7 News Get the Cloud7 Newsletter

Check your inbox or spam folder to confirm your subscription.

By subscribing, you agree to our
Copyright Policy and Privacy Policy
Previous Post

OpenSSL patched 2 high-severity vulnerabilities

Next Post

Cloudflare introduces Super Bot Fight Mode

Erdem Yasar

Erdem Yasar

Erdem Yasar is a news editor at Cloud7 News. Erdem started his career by writing video game reviews in 2007 for PC World magazine while he was studying computer engineering. In the following years, he focused on software development with various programming languages. After his graduation, he continued to work as an editor for several major tech-related websites and magazines. During the 2010s, Erdem Yasar shifted his focus to cloud computing, hosting, and data centers as they were becoming more popular topics in the tech industry. Erdem Yasar also worked with various industry-leading tech companies as a content creator by writing blog posts and other articles. Prior to his role at Cloud7 News, Erdem was the managing editor of T3 Magazine.

Related News

Proof-of-concept exploit code for VMware vulnerability released

Proof-of-concept exploit code for VMware vulnerability released

May 27, 2022 6:48 pm
Tor Browser on Tails 5.0 is not safe

Tor Browser on Tails 5.0 is not safe

May 27, 2022 12:32 pm
VMware ESXi servers are being targeted by a new ransomware

VMware ESXi servers are being targeted by a new ransomware

May 26, 2022 2:07 pm
StackPatch unveils new WAF packages

StackPath unveils new WAF packages

May 24, 2022 4:56 pm
Next Post
Cloudflare introduces Super Bot Fight Mode

Cloudflare introduces Super Bot Fight Mode

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's Choice

Interview with Igor Seletskiy on AlmaLinux

7 best hosting control panels

How to update Linux Kernel without rebooting?

7 best Linux mail servers for 2022

7 best cPanel alternatives for 2022

7 best Linux web browsers for 2022

7 best CentOS alternatives

7 best Linux server distros for 2022

How to scan your server for Log4j (Log4Shell) vulnerability

Best web hosting service providers

AlmaLinux 8.6 Stable is ready to download

Ubuntu 22.04 LTS is available for download. What is new?

Kali Linux 2022.2 is ready for download

Advertisement

Recent News

  • Proof-of-concept exploit code for VMware vulnerability released
  • WordPress.com unveils WordPress Starter plan
  • Wayland 1.21 Alpha is released
  • AlmaLinux 9 “Emerald Puma” is available for download
  • Zyxel is patching 4 new vulnerabilities

Our Latest Interview

Interview: Erez Barak, Vice President Observability of Sumo Logic
Interview

Interview: Erez Barak, Vice President Observability of Sumo Logic

by Atalay Kelestemur
November 25, 2021 3:23 am


Cloud7 News is a news source that publishes the latest news, industry news and exclusive interviews on web hosting, cloud computing, data center, cybersecurity and linux.

News Categories

  • Web Hosting
  • Cloud Computing
  • Data Center
  • Cybersecurity
  • Linux
  • Network/Internet
  • Software
  • Hardware
  • Blockchain

Our Free Modules

  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

Get the Cloud7 Newsletter

Get FREE daily newsletters from Cloud7 delivering the latest news and reviews.

  • About Us
  • Privacy & Policy
  • Copyright Policy
  • Contact

© 2022, Cloud7 News. Latest Cloud Computing, Web Hosting, Data Center Industry and Tech News

No Result
View All Result
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • How-Tos
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • Video
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

© 2022, Cloud7 News. Latest Cloud Computing, Web Hosting, Data Center Industry and Tech News

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.