A popular WordPress plugin is urging users to update as soon as possible after it patched a vulnerability that was being exploited in the wild. If users cannot update, developers recommended they disable the plugin.
The plugin, Social Warfare, lets users add social media sharing buttons to their websites. Social Warfare has an active install base of over 70,000 sites and over 805,000 downloads. Wordfence said that the most recent version of the plugin (3.5.2) was plagued by a stored cross-site scripting vulnerability. Worse, researchers have identified attacks in the wild against the vulnerability.
In a tweet posted Thursday evening, Warfare Plugins urged users to log into their WordPress dashboards and update as soon as possible to version 3.5.3. “If you are not able to immediately apply this update we recommend that you disable Social Warfare and Social Warfare Pro until you can apply the V3.5.3 update,” they said.
> Our development team has submitted Social Warfare V3.5.3 to the WordPress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your WordPress dashboard and apply this update as soon as possible. > > — Warfare Plugins (@warfareplugins) March 21, 2019
The attacks started after a proof of concept for the vulnerability was published earlier Tuesday, said Veenstra. There is currently no evidence that attacks started prior to today, he told Threatpost.
The plugin was consequently taken down. A notice on the WordPress plugin page for Social Warfare says “This plugin was closed on March 21, 2019 and is no longer available for download.”
Meanwhile, Social Warfare tweeted that it is aware of the vulnerability: “Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more.”
> WE ARE AWARE OF A ZERO-DAY EXPLOIT AFFECTING SOCIAL WARFARE CURRENTLY BEING TAKEN ADVANTAGE OF IN THE WILD. Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more. > > — Warfare Plugins (@warfareplugins) March 21, 2019
On Thursday, Veenstra said that Wordfence will refrain from publicizing details of the flaw and the attacks against it: “At such time that the vendor makes a patch available, we will produce a follow-up post with further information,” he said.
After patches were issued on Thursday evening, Wordfence followed up with post detailing the proof of concept and attacks.
The heart of the issue is that the Social Warfare plugin features functionality allowing users to clone its settings from another site – However, this functionality was not restricted to administrators or even logged-in users, meaning anyone could take advantage of it.
Therefore, “An attacker is able to input a URL pointing to a crafted configuration document, which overwrites the plugin’s settings on the victim’s site,” according to Wordfence.
Visitors who are redirected to these addresses are subsequently redirected to a series of malicious sites, and their individual activity is tracked via cookies.
Reports have indicated a variety of eventual redirect targets, from pornography to tech support scams, researchers said.
Social Warfare did not immediately respond to a request for comment from Threatpost.
This is not the first time WordPress has fallen victim to flaws – specifically those tied to third-party plugins. In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.
The incident comes after a separate vulnerability was disclosed and patched in a different WordPress plugin, Easy WP SMTP. This vulnerability was also under active attack and being exploited by malicious actors to establish administrative control of impacted sites, said Veenstra.
“The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers,” he said.
This article was updated March 21 at 7:30 p.m. EST after the vulnerability was patched, and then on March 22 and 7:47 a.m. EST after the PoC was released.