Security News > 2021 > March > Severe Flaws in Official 'Facebook for WordPress' Plugin
A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.
Formerly known as Official Facebook Pixel, the Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.
Described as a "PHP object injection with POP chain," the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script, and because a variable in a function meant to deserialize user data could be supplied by the user themselves.
The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.
After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin, and reported it on January 27.
"This function is used to update the plugin's settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account," Wordfence explains.