WordPress Facebook Plugin Makes 500,000 Plus Sites Vulnerable

WordPress Facebook Plugin Makes 500,000 Plus Sites Vulnerable

Two Vulnerabilities found in the Facebook WordPress Plugin, these exploits could allow the attackers to install malicious code to install the backdoor, for establishing the administrator-level account in order to gain access for full website control and access.

{tocify} $title={Table of Contents}

Facebook Plugin for WordPress

Facebook Plugin for WordPress is installed with over 500,000 websites, this plugin used by the advertiser tracks visitors over the website for the Facebook ads. This plugin allows advertisers to track the visitor's behavior for the optimization of the website.

One exploits is discovered in the month of December 2020, and another one was discovered in the month of January 2021 when the code update happens in the plugin.

PHP Object Injection Exploit

Exploits like this completely based on the lack of cleaning the uploads which then allows attackers to inject a variety of attacks such as malware code implementation. In this kind of attack, the hacker could use the compromised plugin to Upload the file and proceed with the remote code execution.

The Vulnerability of the plugin could also allow the attackers to take advantage of the other vulnerable plugin for the setup of malware.

WordFence Saying

This meant that an attacker could generate a PHP file new.php in a vulnerable site’s home directory with the contents <?php phpinfo();?>. The PHP file contents could be changed to anything, like <?php shell_exec($_GET['cmd']);?>  which would allow an attacker to achieve remote code execution.

Note that the presence of a full POP chain also meant that any other plugin with an object injection vulnerability, including those that did not require knowledge of the site’s salts and keys, could potentially be used to achieve remote code execution as well if it was installed on a site with the Facebook for WordPress plugin.

Cross-Site Request Forgery

Cross-Site Request Forgery exploits is a type of exploiting the requires a victim with the administrator level credential to WordPress Site in order to perform a task like a link clicking which then leads to an attack that takes advantage of the administrator's level of credential.

This type of attack can access the data like private traffic data and can take over the whole website.

WordFence Saying

The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site. Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.

These values would then be reflected on the settings page, causing the code to execute in a site administrator’s browser while accessing the settings page. Ultimately, this code could be used to inject malicious backdoors into theme files or create new administrative user accounts that could be used for complete site takeover.


All the users of this plugin to informs immediately to update their plugins version to the latest version which is v3.0.5. Version v3.0.5 is the fully updated version of the plugin.


Two Vulnerabilities Patched in Facebook for WordPress Plugin

Facebook for WordPress Changelog

About Creator- Rajat

Rajat is all about valuable content Digital marketing. He creates content on Google tech news and searches Update. You will get the latest updates about SEO and the implementation of the marketing technique leveraging the Digital Medium.

Post a Comment (0)
Previous Post Next Post