Severe Flaws in Official ‘Facebook for WordPress’ Plugin
Security researchers have discovered critical vulnerabilities in the official Facebook for WordPress plugin, finding that they can be abused to upload arbitrary files which would likely lead to remote code execution. Wordfence researchers recently released a warning advising users to exercise caution and to implement Facebook’s patch as soon as possible. The bug has been assigned a CVSS score of 9.0 and was reported to Facebook by Wordfence in late December. The bug has a high severity rating as it could allow for unauthorized access and remote code execution.
The vulnerability is described by the researchers as a PHP object injection with POP chain. Although the deserialization vulnerability is relatively harmless on its own, combining its exploit with a gadget or ‘magic method’ would lead to significant damage, including remote code execution and arbitrary files being uploaded onto a site.