CVE-2021-24218: CSRF
First published: Mon Apr 12 2021(Updated: )
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Facebook | >=3.0.0<3.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-24218.
What is the title of the vulnerability?
The title of the vulnerability is 'The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4.'
What is the description of the vulnerability?
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
What is the severity of CVE-2021-24218?
The severity of CVE-2021-24218 is high.
What software is affected by CVE-2021-24218?
The Facebook for WordPress plugin versions 3.0.0 to 3.0.4 are affected by CVE-2021-24218.
How can the vulnerability be exploited?
The vulnerability can be exploited through CSRF attacks by malicious actors.
How can the vulnerability be fixed?
The vulnerability can be fixed by updating the Facebook for WordPress plugin to version 3.0.4 or later.
- collector/nvd-index
- vendor/facebook
- canonical/facebook facebook
- version/facebook facebook/3.0.0