Two vulnerabilities were patched in the Facebook for WordPress Plugin. The exploits could allow a malicious attacker to install backdoors, create administrator level accounts and stage a complete site takeover.
Facebook for WordPress Exploit
Facebook for WordPress plugin, installed in over 500,000 websites, is a site visitor tracking plugin for advertisers that use Facebook ads. It allows advertisers to track the visitor journey and optimize their ad campaigns.
One of the exploits was discovered in December 2020. The other flaw was introduced in January 2021 as part of a rebranding and code update to the plugin.
PHP Object Injection Vulnerability
This kind of exploit depends on a flaw that inadequately sanitizes uploads which in turn allows an attacker to perform a variety of attacks such as code injection.
In this specific attack a hacker could use the compromised plugin to upload a file and proceed to a remote code execution.
The particulars of this vulnerability could also allow the attacker to take advantage of other plugins containing the vulnerability.
According to Wordfence:
“This meant that an attacker could generate a PHP file new.php in a vulnerable site’s home directory… The PHP file contents could be changed to anything… which would allow an attacker to achieve remote code execution.
Note that the presence of a full POP chain also meant that any other plugin with an object injection vulnerability, including those that did not require knowledge of the site’s salts and keys, could potentially be used to achieve remote code execution as well if it was installed on a site with the Facebook for WordPress plugin.”
Cross-Site Request Forgery
A cross site request forgery exploit is a type that requires a victim with administrator level credentials to a WordPress site to perform an action (like click on a link) which would then lead to an attack that takes advantage of the administrators high level credentials.
An attacker could gain access to private metric data or stage a complete site takeover.
Wordfence describes it like this:
“The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site.
These values would then be reflected on the settings page, causing the code to execute in a site administrator’s browser while accessing the settings page.
Ultimately, this code could be used to inject malicious backdoors into theme files or create new administrative user accounts that could be used for complete site takeover.”
It is recommended that all users immediately update their plugin to the latest version (currently Version 3.0.5). Facebook for WordPress version 3.0.4 is fully patched but version 3.0.5 is the most up to date version of the plugin.