NVD Vulnerability Detail

CVE-2021-24217

Summary	The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Publication Date	April 12, 2021, 11:15 p.m.
Registration Date	April 13, 2021, 10:03 a.m.
Last Update	Nov. 21, 2024, 2:52 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:facebook:facebook::::::wordpress::*					3.0.0

Related information, measures and tools

No	URL	タグ
1	https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a	Exploit Third Party Advisory
2	https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a	Exploit Third Party Advisory
3	https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/	Exploit Third Party Advisory
4	https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/	Exploit Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

WordPress 用 Facebook プラグインにおける信頼できないデータのデシリアライゼーションに関する脆弱性

Title	WordPress 用 Facebook プラグインにおける信頼できないデータのデシリアライゼーションに関する脆弱性
Summary	WordPress 用 Facebook プラグインには、信頼できないデータのデシリアライゼーションに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 25, 2021, midnight
Registration Date	Dec. 16, 2021, 11:10 a.m.
Last Update	Dec. 16, 2021, 11:10 a.m.

Affected System

Facebook

facebook 3.0.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-24217	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24217
National Vulnerability Database (NVD)
2	CVE-2021-24217	https://nvd.nist.gov/vuln/detail/CVE-2021-24217

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-502	https://cwe.mitre.org/data/definitions/502.html

ベンダー情報

No	Name	URL
WordPress Plugin Directory
1	Facebook for WordPress	https://wordpress.org/plugins/official-facebook-pixel/

その他

No	Name	URL
関連文書
1	Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain	https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a

Change Log

No	Changed Details	Date of change
1	[2021年12月16日] 掲載	Dec. 16, 2021, 11:10 a.m.