Facebook for WordPress Plugin, earlier was reported to have two vulnerabilities. These vulnerabilities have been fixed in the latest plugin update.
One of the critical security bugs reported received a CVSS score of 9.0. The security researcher discovered a PHP object injection flaw in the run_action() function.
The other vulnerability appeared in the next version of the plugin, where the researchers discovered a cross-site request forgery (CSRF) flaw. This flaw received a CVSS score of 8.8.
Why should you update Facebook for WordPress Plugin?
According to Wordfence, the Facebook for WordPress Plugin recently showed two separate vulnerabilities. It is a popular WordPress Plugin with around 500000 active installations. As a result of the vulnerabilities, hackers were able to gain access to execute codes remotely by creating custom scripts to generate a valid nonce. The latest version of Facebook for WordPress Plugin has got it all fixed.
What Wordfence had to say?
This function was intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console. Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.
Facebook for WordPress Plugin Bug Fixed
The PHP object injection flaw discovered by the Wordfence researchers earlier in December 2020, was patched with version 3.0.0 of the plugin. Another patch was later released in ver 3.0.3 of the plugin as the earlier one developed the CSRF vulnerability. All these issues have been addressed in the latest Facebook for WordPress Plugin ver 3.0.5
All Facebook for WordPress Plugin users is advised to update the plugin.