A comprehensive database for everything WordPress related.

TOP
WPKlik Logo Newsletter

Sign up and receive a free copy of How to Create an online Store with WooCommerce (full guide)

Social Warfare Plugin Vulnerability Patched

Social Warfare Plugin Vulnerability Patched

Yesterday, security researchers discovered a zero-day vulnerability in the popular Social Warfare plugin. The plugin was promptly removed from the WordPress repository. In the meantime, its developers issued a patch and are now urging all their users to update to version 3.5.3.

Details

The Social Warfare vulnerability lies in the plugin’s feature for cloning settings from another site. With no restrictions in place to define who can use this feature, even logged-out users can modify the plugin’s options. In effect, an attacker can alter the plugin’s settings simply by providing a URL to a fabricated configuration document. As a result, malicious JavaScript code can be injected into a website’s social share links. Wordfence reports that one of the domains involved in the attacks also participated in exploiting the recent Easy WP SMTP vulnerability. You can find a detailed explanation of how hackers are exploiting the Social Warfare vulnerability on the Plugin Vulnerabilities website, as well as on the Wordfence blog.

Recommended Actions

Naturally, the first thing you should do if you are using the Social Warfare plugin is update it to the latest version (3.5.3). The developers have stated the patch not only addresses the vulnerability but also undoes any changes made to hacked sites. However, if you suspect an attack has already occurred on your website, we strongly recommend you change your passwords.

We hope this article was helpful. If you liked it, feel free to check out some of these articles as well!

Newsletter

WordPress perfection at your fingertips.

If you enjoyed this article, feel free to subscribe to our newsletter using the form below. You can also follow us on Facebook and Twitter and subscribe to our YouTube channel for WordPress video tutorials.

Leave a Reply