Vulnerability Description
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| >= 3.0.0, < 3.0.4 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-fExploitThird Party Advisory
- https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-fExploitThird Party Advisory
FAQ
What is CVE-2021-24218?
CVE-2021-24218 is a vulnerability with a CVSS score of 8.8 (HIGH). The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in ...
How severe is CVE-2021-24218?
CVE-2021-24218 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24218?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Facebook.