CVE-2021-24218
📋 TL;DR
This Cross-Site Request Forgery (CSRF) vulnerability in the Facebook for WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions without their consent. Attackers can inject script tags into plugin settings, potentially leading to stored XSS attacks. All WordPress sites running vulnerable versions of the Facebook for WordPress plugin are affected.
💻 Affected Systems
- Facebook for WordPress plugin
📦 What is this software?
Facebook by Facebook
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript into plugin settings, leading to persistent cross-site scripting (XSS) that affects all users visiting the compromised site, potentially enabling session hijacking, credential theft, or malware distribution.
Likely Case
Attackers trick administrators into clicking malicious links that modify plugin settings to inject malicious scripts, compromising the administrator session and potentially other user sessions.
If Mitigated
With proper CSRF protections and input sanitization, the vulnerability would be prevented, requiring attackers to find alternative methods to compromise the site.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated administrators, but the technical complexity is low once the administrator is targeted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.4
Vendor Advisory: https://wordpress.org/plugins/official-facebook-pixel/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Facebook for WordPress' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.0.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints via .htaccess
linuxBlock access to the vulnerable AJAX endpoints to prevent exploitation
# Add to .htaccess file
RewriteEngine On
RewriteCond %{QUERY_STRING} action=(save_fbe_settings|delete_fbe_settings) [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Temporarily disable plugin
allDisable the Facebook for WordPress plugin until patched
wp plugin deactivate official-facebook-pixel
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Use web application firewall (WAF) rules to block CSRF attempts targeting admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If Facebook for WordPress version is below 3.0.4, the site is vulnerable.Check Version:
wp plugin get official-facebook-pixel --field=versionVerify Fix Applied:
Verify plugin version is 3.0.4 or higher in WordPress admin panel. Test AJAX endpoints with nonce validation.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=save_fbe_settings or action=delete_fbe_settings without proper referrer headers
- Unusual modifications to plugin settings by non-administrator IPs
Network Indicators:
- CSRF attempts with crafted POST requests to admin-ajax.php endpoint
- Traffic patterns showing admin sessions followed immediately by AJAX requests from different IPs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=save_fbe_settings*" OR query_string="*action=delete_fbe_settings*")🔗 References
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
