CVE-2021-24218

Facebook for WordPress <= 3.0.3 - Cross-site Request Forgery to Stored Cross-site Scripting and Settings Deletion via wp_ajax_(save|delete)_fbe_settings

highCross-Site Request Forgery (CSRF)

8.8

CVSS Score

8.8

CVSS Score

high

Severity

3.0.4

Patched in

1034d

Time to patch

Description

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions>=3.0.0 <3.0.4

PublishedMarch 25, 2021

Last updatedJanuary 22, 2024

Affected pluginofficial-facebook-pixel

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/9bc3039c-8e96-42e9-a28d-d3204f3e84f7?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database