The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a | Exploit Third Party Advisory |
https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2021-04-12T14:01:19
Updated: 2021-04-12T14:01:19
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24217
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-04-12T14:15:15.240
Modified: 2021-04-20T19:11:16.837
Link: CVE-2021-24217
JSON object: View
Redhat Information
No data.
CWE