Social Warfare Plugin Vulnerability Patched
Yesterday, security researchers discovered a zero-day vulnerability in the popular Social Warfare plugin. The plugin was promptly removed from the WordPress repository. In the meantime, its developers issued a patch and are now urging all their users to update to version 3.5.3.
Details
The Social Warfare vulnerability lies in the plugin’s feature for cloning settings from another site. With no restrictions in place to define who can use this feature, even logged-out users can modify the plugin’s options. In effect, an attacker can alter the plugin’s settings simply by providing a URL to a fabricated configuration document. As a result, malicious JavaScript code can be injected into a website’s social share links. Wordfence reports that one of the domains involved in the attacks also participated in exploiting the recent Easy WP SMTP vulnerability. You can find a detailed explanation of how hackers are exploiting the Social Warfare vulnerability on the Plugin Vulnerabilities website, as well as on the Wordfence blog.
Recommended Actions
Naturally, the first thing you should do if you are using the Social Warfare plugin is update it to the latest version (3.5.3). The developers have stated the patch not only addresses the vulnerability but also undoes any changes made to hacked sites. However, if you suspect an attack has already occurred on your website, we strongly recommend you change your passwords.
We hope this article was helpful. If you liked it, feel free to check out some of these articles as well!