CVE-2021-24217

HIGH

Facebook < 3.0.0 - Insecure Deserialization

Title source: rule

Description

The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/

Scores

CVSS v3 8.1

EPSS 0.0650

EPSS Percentile 91.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

facebook/facebook < 3.0.0

Timeline

Published Apr 12, 2021

Tracked Since Feb 18, 2026