Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two critical security vulnerabilities. Since both security vulnerabilities are quite easy exploitable and have a high success rate, we highly recommend updating the plugin as soon as possible – now!

Why hurry? Because hackers can easily find WordPress sites using this plugin. We were able to find 42522 websites (all versions of plugin vulnerable and fixed). So please don’t waste time, update it now. Keep in mind that vulnerabilities affect both free and premium versions of the plugin.

Social Warfare equipped websites

Social Warfare plugin vulnerabilities

As we mentioned above, there are two critical security issues recently found in the Social Warfare WordPress plugin. Unauthenticated Remote Code Execution (RCE) and Unauthenticated Arbitrary Settings Update vulnerability affect Social Warfare plugin 3.5.2 and earlier versions. Both vulnerabilities already fixed in Social Warfare plugin version 3.5.3 and you can download it directly from the WordPress plugin repository or use the update function on your WordPress dashboard.

Unauthenticated Remote Code Execution (RCE)

Vulnerability discovered by Luka Sikic (WebARX). A security issue has been found in functionality that is responsible for settings import. Proof of Concept (PoC) is publicly available, and this vulnerability is easy to exploit, that makes it even more dangerous.

Unauthenticated Arbitrary Settings Update

The vulnerability allows inserting a malicious eval() to the wp_options table (social_wafare_settings option, Twitter field.) While the plugin is active, it could make malicious JavaScript redirects. Disabling plugin solves the redirection problem, however malicious eval() stays in the database.

More details available on CVE database (CVE-2019-9978)

Why is this happening?

Some unidentified security researcher disclosed information about the vulnerabilities and provided the Proof of Concept (PoC) without prior notification to plugin authors. WordPress has its policy for responsible security vulnerabilities disclosure, but in this case, it was ignored by putting almost 60,000 websites under security threat.

Such situations are severely damaging the WordPress image and, of course, the entire WordPress community confidence. To avoid such unpleasant situations, do not ignore updates, especially if they are focused on security vulnerabilities. You can always check your plugins manually on our WordPress vulnerability database or automatically with our WordPress security plugin that will test your software against vulnerability database for you.

And a small reminder for the end. Don’t forget to make WordPress backups (WordPress files and database) periodically. Back-up can save hours of site recovery after the security incident. Keep your sites safe.

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *