Researchers at Wordfence have discovered two vulnerabilities in the Facebook for WordPress plugin, which has more than 500,000 active installations. The plugin allows administrators to capture the actions people take while interacting with their page, such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events.
“On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites.” reads the post published by WordFence. “This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.”
The issue, described as a PHP object injection with POP chain, could be exploited by an unauthenticated attacker to access a site’s secret and keys and exploit a deserialization weakness to achieve remote code execution.
The issue could be only exploited by an attacker with a valid nonce because the handle_postback function requires a valid nonce.
“The core of the PHP Object Injection vulnerability was within the run_action() function. This function was intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console. Unfortunately, this event_data could be supplied by a user.” continues the post. “When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes.”
The experts pointed out that even if a deserialization vulnerability could be relatively harmless when combined with a gadget or magic method would result in “significant damage” to a site. This means that the vulnerability in Facebook for WordPress could be combined with a magic method to upload arbitrary files and get remote code execution.
“This meant that an attacker could generate a PHP file new.php in a vulnerable site’s home directory with the contents . The PHP file contents could be changed to anything, like which would allow an attacker to achieve remote code execution.” continues Wordfence.
The vulnerability was rated as critical severity and received a CVSS score of 9 out of 10.
Experts reported the flaw to the social network giant on December 22, which fixed it on January 6, with the release of a new version.
After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin. The flaw was rated as a high-severity and received a CVSS score of 8.8. The flaw was reported to Facebook on January 27 and was addressed on February 26, 2021.
“One of the changes they made while updating the plugin addressed the functionality behind saving the plugin’s settings. This was converted to an AJAX action to make the integration process more seamless. The new version introduced the wp_ajax_save_fbe_settings AJAX action tied to the saveFbeSettings function.” states the advisory. “This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account.”
These values would then be reflected on the settings page, causing the code to execute in a site administrator’s browser while accessing the settings page. The expert discovered that the code could be used to inject malicious backdoors into theme files or create new administrative user accounts that could allow to take over the site.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, WordPress plugin)