I don't think CSP could have prevented this? Facebook.com is already CSP enabled, but CSP only prevents cross-origin injection of certain resource types (images, scripts, Javascript). This attack originated from Facebooks own domain and was served (well, sniffed) as HTML.
Anyway, CSP clearly isn't useless... but try deploying it on your average Wordpress blog sometime.
Its not really plugins. The vast majority of wordpress themes out there come with inline css, inline javascript, and prebaked dependencies on things like jquery and google fonts hosted on 3rd party CDNs.
Anyway, CSP clearly isn't useless... but try deploying it on your average Wordpress blog sometime.