Search criteria
4 vulnerabilities found for Facebook for WordPress by Unknown
CVE-2021-24218 (GCVE-0-2021-24218)
Vulnerability from cvelistv5 – Published: 2021-04-12 14:01 – Updated: 2024-08-03 19:21
VLAI?
Title
Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
Summary
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Facebook for WordPress |
Affected:
3.0.0 , < 3.0.0*
(custom)
Affected: 3.0.4 , < 3.0.4 (custom) |
Credits
Chloe Chamberland
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Facebook for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.0*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T14:01:34",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24218",
"STATE": "PUBLIC",
"TITLE": "Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Facebook for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "3.0.0",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c",
"version_name": "3.0.4",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24218",
"datePublished": "2021-04-12T14:01:34",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:21:18.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24217 (GCVE-0-2021-24217)
Vulnerability from cvelistv5 – Published: 2021-04-12 14:01 – Updated: 2024-08-03 19:21
VLAI?
Title
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
Summary
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Facebook for WordPress |
Affected:
3.0.0 , < 3.0.0
(custom)
|
Credits
Chloe Chamberland
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Facebook for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T14:01:19",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facebook for WordPress \u003c 3.0.0 - PHP Object Injection with POP Chain",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24217",
"STATE": "PUBLIC",
"TITLE": "Facebook for WordPress \u003c 3.0.0 - PHP Object Injection with POP Chain"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Facebook for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.0",
"version_value": "3.0.0"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"name": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24217",
"datePublished": "2021-04-12T14:01:19",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:21:18.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24218 (GCVE-0-2021-24218)
Vulnerability from nvd – Published: 2021-04-12 14:01 – Updated: 2024-08-03 19:21
VLAI?
Title
Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
Summary
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Facebook for WordPress |
Affected:
3.0.0 , < 3.0.0*
(custom)
Affected: 3.0.4 , < 3.0.4 (custom) |
Credits
Chloe Chamberland
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Facebook for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.0*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T14:01:34",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24218",
"STATE": "PUBLIC",
"TITLE": "Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Facebook for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "3.0.0",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c",
"version_name": "3.0.4",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24218",
"datePublished": "2021-04-12T14:01:34",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:21:18.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24217 (GCVE-0-2021-24217)
Vulnerability from nvd – Published: 2021-04-12 14:01 – Updated: 2024-08-03 19:21
VLAI?
Title
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
Summary
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Facebook for WordPress |
Affected:
3.0.0 , < 3.0.0
(custom)
|
Credits
Chloe Chamberland
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Facebook for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T14:01:19",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facebook for WordPress \u003c 3.0.0 - PHP Object Injection with POP Chain",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24217",
"STATE": "PUBLIC",
"TITLE": "Facebook for WordPress \u003c 3.0.0 - PHP Object Injection with POP Chain"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Facebook for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.0",
"version_value": "3.0.0"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"name": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24217",
"datePublished": "2021-04-12T14:01:19",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:21:18.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}