Two severe vulnerabilities have been patched in Facebook for WordPress Plugin, which has been installed on over 500,000 websites. An attacker exploiting the most severe vulnerability could supply the plugin with PHP objects for malicious purposes, and upload files to a vulnerable website and achieve Remote Code Execution (RCE).
<p>The latest vulnerabilities found in the Facebook for WordPress plugins are a good reminder to check the security of your WordPress plugins, which starts with making sure your plugins are up to date, that you’ve only installed the plugins you actually need, and to think about application security for your WordPress deployment. </p> <p> </p> <p>Plugins for WordPress are typically written in PHP, a language that’s particularly vulnerable to the <a href=\"https://owasp.org/www-project-top-ten/\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://owasp.org/www-project-top-ten/&source=gmail&ust=1616842147955000&usg=AFQjCNF3AVi5DK3V9NOEpa7ppAsFKncWXw\">OWASP</a> Top 10 Web Application Risks. Runtime application security provides protection for well-known problems like zero day attacks and the OWASP Top 10. The Facebook plugin vulnerability is a Remote Code Execution (RCE) vulnerability, which is one of the most dangerous vulnerabilities, because it gives the attacker the ability to run almost any code on a hacked site. Some of the largest past data breaches, like the Equifax attack, started with an RCE attack.</p> <p> </p> <p>Additional support for runtime application security was added in late 2020, when <a href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final&source=gmail&ust=1616842147956000&usg=AFQjCNEdEl9zj-u1XayYgpxJ9gFRD84Fsw\">NIST SP 800-53</a> was published. The revised security and privacy framework included two major updates that offer insights into how security pros can improve their application security. The new framework includes requirements for both runtime application self-protection (RASP) and interactive application security testing (IAST).</p>