Facebook has fixed two critical vulnerabilities in its popular WordPress plugin which could have been exploited to enable full site takeover, according to Wordfence.
The security company revealed yesterday that it disclosed the bugs to the social network on December 22 last year and January 27 2021. Patches for each were released on January 6 and February 7 2021, respectively.
The vulnerabilities affected the plugin formerly known as Official Facebook Pixel, which is said to be installed on around half a million sites globally. The software is designed to integrate Facebook’s Pixel conversion measurement tool with WordPress sites so it can monitor traffic and record specific user actions.
The first bug is a PHP object injection vulnerability with a CVSS score of 9.
“The core of the PHP Object Injection vulnerability was within the run_action() function. This function was intended to deserialize user data from the event_data POST variable so that it could send the data to…