2 Vulnerabilities Patched in Facebook for WordPress Plugin

Another day, Another Vulnerability News!

The Wordfence Threat Intelligence team discovered a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin with over 500,000 active installations. Via a deserialization bug, unauthenticated attackers with access to a site’s secret salts and keys are able to achieve remote code execution.

These are considered to be high and critical severity vulnerabilities. In addition, the Wordfence team disclosed a separately found flaw in Facebook for WordPress on January 27, 2021, which was introduced in the plugin’s rebranding in version 3.0.0. If an attacker could effectively trick an administrator into performing an action like clicking a link, this bug allowed them to insert malicious JavaScript into the plugin’s settings.

For the first vulnerability, Wordfence reached out to Facebook’s security team on December 22, 2020, which included the full disclosure information at the time of reaching out. They requested additional details on December 25, 2020, which was given on December 26, 2020. On January 6, 2021, a patch was released.

For the second flaw, they contacted Facebook’s security staff again on January 27, 2021, this time with the full disclosure information. On February 1, 2021, the Facebook team replied with a request for more details, which was provided the same day. Good Work Wordfence Team! 👍

On February 12, 2021, an initial patch was released, followed by a fully-sufficient patch on February 17, 2021. As a result, we strongly recommend you to update to the new version available, 3.0.5, which includes all patches.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.