WordPress Plugin Vulnerabilities

Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain

Description

The run_action function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

Proof of Concept

Affects Plugins

Plugin icon
official-facebook-pixel
Fixed in 3.0.0

References

CVE
CVE-2021-24217
URL
https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.0 (critical)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
509f2754-a1a1-4142-9126-ae023a88533a

Timeline

Publicly Published
2021-03-25 (about 4 years ago)
Added
2021-03-25 (about 4 years ago)
Last Updated
2021-03-26 (about 4 years ago)

Other

Published
Title
Published
2023-10-24
Title
KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle
Published
2025-05-22
Title
Car Dealer <= 1.6.6 - Unauthenticated PHP Object Injection
Published
2025-04-24
Title
Social Counter < 2.1 - Authenticated (Administrator+) PHP Object Injection
Published
2024-12-06
Title
Gallery <= 1.3 - Authenticated (Contributor+) PHP Object Injection
Published
2024-08-30
Title
Attire < 2.0.7 - Authenticated (Contributor+) PHP Object Injection