Another day, Another Vulnerability News!
The Wordfence Threat Intelligence team discovered a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin with over 500,000 active installations. Via a deserialization bug, unauthenticated attackers with access to a site’s secret salts and keys are able to achieve remote code execution.
For the first vulnerability, Wordfence reached out to Facebook’s security team on December 22, 2020, which included the full disclosure information at the time of reaching out. They requested additional details on December 25, 2020, which was given on December 26, 2020. On January 6, 2021, a patch was released.
For the second flaw, they contacted Facebook’s security staff again on January 27, 2021, this time with the full disclosure information. On February 1, 2021, the Facebook team replied with a request for more details, which was provided the same day. Good Work Wordfence Team! 👍
On February 12, 2021, an initial patch was released, followed by a fully-sufficient patch on February 17, 2021. As a result, we strongly recommend you to update to the new version available, 3.0.5, which includes all patches.
Moments ago, our Threat Intelligence team published details about 2 vulnerabilities discovered in Facebook for WordPress, a plugin installed on over 500K sites. These are considered high & critical severity flaws that could lead to site takeover.— Wordfence (@wordfence) March 25, 2021