Two severe vulnerabilities have been patched in the Facebook for WordPress Plugin.
The plugin, used to capture user actions when they visit a page and to monitor site traffic, has been installed on over 500,000 websites.
On December 22, the cybersecurity researchers privately disclosed a critical vulnerability to the vendor which has been issued a CVSS severity score of 9. The vulnerability, described as a PHP Object injection, was found in the run_action() function of the software.
If a valid nonce was generated — such as through the use of a custom script — an attacker could supply the plugin with PHP objects for malicious purposes and go so far as to upload files to a vulnerable website and achieve Remote Code Execution (RCE).
“This flaw made it possible for…