Vulnerability Details CVE-2021-24218
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 36.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
Products affected by CVE-2021-24218
-
cpe:2.3:a:facebook:facebook:3.0.0
-
cpe:2.3:a:facebook:facebook:3.0.1
-
cpe:2.3:a:facebook:facebook:3.0.2
-
cpe:2.3:a:facebook:facebook:3.0.3