Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
WordPress Facebook for WordPress Plugin < 3.0.0 PHP Object Injection Vulnerability
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The WordPress plugin Facebook for WordPress (formerly known as Official Facebook Pixel) is prone to a PHP object injection vulnerability.
Insight
Insight
The core of the PHP object injection vulnerability is within the run_action() function. This function is intended to deserialize user data from the event_data POST variable so that it could send the data to the pixel console. Unfortunately, this event_data could be supplied by a user. When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes. On its own, a deserialization vulnerability is relatively harmless, however, when combined with a gadget, or magic method, significant damage can be done to a site. In this case, a magic method within the plugin could be used to upload arbitrary files and achieve remote code execution on a vulnerable target.
Affected Software
Affected Software
WordPress Facebook for WordPress plugin before version 3.0.0.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 3.0.0 or later.