Wordfence Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites.
This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.
Team initially reached out to Facebook’s security team on December 22, 2020 for the first vulnerability and included the full disclosure details at the time of reaching out. They initially responded on December 25, 2020 requesting further information which was supplied on December 26, 2020. A patch was released on January 6, 2021.
For the second vulnerability, Team reached out to Facebook’s security team again on January 27, 2021, and included the full disclosure details at the time of reaching out. They initially responded on February 1, 2021 requesting further information which was supplied the same day. An initial patch was released on February 12, 2021, and a fully sufficient patch was released on February 17, 2021.
These are considered high and critical severity vulnerabilities. Therefore, we highly recommend updating to the latest version available containing both patches, 3.0.5, immediately.
