Skip to main content

Patch the Facebook for WordPress plugin now, users warned

Person editing a WordPress site
(Image credit: Pixabay)
Audio player loading…

The Threat Intelligence team at Wordfence (opens in new tab) has discovered two vulnerabilities in Facebook's WordPress plugin (opens in new tab) that if left unpatched, could be exploited by an attacker to achieve remote code execution or to inject malicious JavaScript into the plugin's settings.

Facebook for WordPress (opens in new tab) is a plugin designed to create a seamless integration between the conversion measurement tool Facebook Pixel and a WordPress (opens in new tab) site. Once installed, the plugin monitors site traffic and records data when users access pages and perform certain actions on a site.

The first flaw discovered by Wordfence could be used by unauthenticated attackers with access to a site's secret salts and keys to achieve remote code execution (opens in new tab) through a deserialization weakness. The company responsibly disclosed the vulnerability to Facebook at the end of last year and it has now been patched.

Facebook for WordPress

The second flaw discovered in Facebook for WordPress by Wordfence's Threat Intelligence team was introduced when the plugin was rebrandred with the launch of version 3.0.0. 

If exploited, this flaw could allow for attackers to inject malicious JavaScript (opens in new tab) into the plugin's settings if an attacker could successfully trick a WordPress admin into performing an action such as clicking on a link. Wordfence reached out to Facebook's security team at the end of January of this year to inform them about the second vulnerability.

Both vulnerabilities in Facebook for WordPress should be patched immediately as the PHP Object Injection vulnerability has a CVSS score of 9.0 and is rated as critical while the Cross-Site Request Forgery has a CVSS Score of 8.8 and is rated as high.

Version 3.0.5 of the Facebook for WordPress plugin is available now and the latest version of the plugin contains patches that address both vulnerabilities.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.