CVE-2021-24218

CVE-2021-24218: Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion

Vendor Unknown

Product Facebook for WordPress

Weakness CWE-352 · CSRF

Published April 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

Key dates

02Disclosure timeline

April 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24218

Related vulnerabilities

04Related CVE

CVE-2025-26963 WordPress ClickWhale plugin <= 2.4.3 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability CVE-2025-4194 AlT Monitoring <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2025-24714 WordPress Bubble Menu Plugin <= 4.0.2 - Cross Site Request Forgery (CSRF) vulnerability CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update CVE-2025-15635 WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Request Forgery (CSRF) vulnerability

Identifiers

CVE CVE-2021-24218

CWE CWE-352

Affected versions

Vendor Unknown

Product Facebook for WordPress

Affected ≥ 3.0.0 and < 3.0.0*

Vendor Unknown

Product Facebook for WordPress

Affected ≥ 3.0.4 and < 3.0.4