Maintained WordPress projects that rely on Facebook for WordPress plugins are updated per schedule.
Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.
The bug carries a CVSS score of 9.0 and was reported to Facebook on December 22. Wordfence said the critical severity bug could allow an unauthenticated attacker to access a site’s secret and exploit a deserialization weakness to achieve remote code execution.
Described as a “PHP object injection with POP chain,” the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script and because a variable in a function meant to deserialize user data could be supplied by the user themselves.
“When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes” the company said in an advisory.
They also note that, while a deserialization vulnerability could be relatively harmless on its own, the addition of a gadget, or magic method, to the mix would result in “significant damage” to a site. The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.
By abusing the vulnerability, an attacker could generate a PHP file in the home directory of a vulnerable website, then change the contents of that PHP file to whatever they wanted, achieving code execution.
After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin and reported it on January 27. Patched in February, the issue was rooted in rewritten code that modified some of the plugin’s initial functionality related to saving the plugin’s settings.
“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account” Wordfence explains.
The function lacked nonce protection, meaning that it could not verify whether requests came from a legitimate authenticated administrator, thus allowing an attacker to “craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”
An attacker could abuse the action to update the plugin’s settings and steal metric data for a site, and even inject malicious JavaScript code into the setting values. The code would be executed in the admin’s browser when they access the settings page and could allow for the injection of backdoors into theme files, or the creation of new administrative accounts, leading to complete site takeover.
Read more about it on Wordfence blog post