https://blog.threatpress.com/social-warfare-plugin-security-vulnerabilities/
Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two critical security vulnerabilities. Since both security vulnerabilities are quite easy exploitable and have a high success rate, we highly recommend updating the plugin as soon as possible – now!
Why hurry? Because hackers can easily find WordPress sites using this plugin. We were able to find 42522 websites (all versions of plugin vulnerable and fixed). So please don’t waste time, update it now. Keep in mind that vulnerabilities affect both free and premium versions of the plugin.
Social Warfare plugin vulnerabilities
As we mentioned above, there are two critical security issues recently found in the Social Warfare WordPress plugin. Unauthenticated Remote Code Execution (RCE) and Unauthenticated Arbitrary Settings Update vulnerability affect Social Warfare plugin 3.5.2 and earlier versions. Both vulnerabilities already fixed in Social Warfare plugin version 3.5.3 and you can download it directly from the WordPress plugin repository or use the update function on your WordPress dashboard.
Unauthenticated Remote Code Execution (RCE)
Vulnerability discovered by Luka Sikic (WebARX). A security issue has been found in functionality that is responsible for settings import. Proof of Concept (PoC) is publicly available, and this vulnerability is easy to exploit, that makes it even more dangerous.
Unauthenticated Arbitrary Settings Update
The vulnerability allows inserting a malicious eval() to the wp_options table (social_wafare_settings option, Twitter field.) While the plugin is active, it could make malicious JavaScript redirects. Disabling plugin solves the redirection problem, however malicious eval() stays in the database.
More details available on CVE database (CVE-2019-9978)
Why is this happening?
Some unidentified security researcher disclosed information about the vulnerabilities and provided the Proof of Concept (PoC) without prior notification to plugin authors. WordPress has its policy for responsible security vulnerabilities disclosure, but in this case, it was ignored by putting almost 60,000 websites under security threat.
Such situations are severely damaging the WordPress image and, of course, the entire WordPress community confidence. To avoid such unpleasant situations, do not ignore updates, especially if they are focused on security vulnerabilities. You can always check your plugins manually on our WordPress vulnerability database or automatically with our WordPress security plugin that will test your software against vulnerability database for you.
And a small reminder for the end. Don’t forget to make WordPress backups (WordPress files and database) periodically. Back-up can save hours of site recovery after the security incident. Keep your sites safe.
The post Social Warfare plugin under attack due to critical security vulnerabilities appeared first on ThreatPress Blog.
Source: Security Feed