Vulnerabilities > CVE-2021-24218 - Unspecified vulnerability in Facebook

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

facebook

NVD

Published: 2021-04-12

Updated: 2024-11-21

Summary

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

Vulnerable Configurations

Part	Description	Count
Application	Facebook Facebook Facebook 3.0.0 Facebook Facebook 3.0.1 Facebook Facebook 3.0.2 Facebook Facebook 3.0.3	4

References

https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/