The plugin, Social Warfare, is no longer listed after a cross site scripting flaw was found being exploited in the wild.
A popular WordPress plugin has been removed from the WordPress plugin repository after it was discovered to have a vulnerability that was being exploited in the wild.
The plugin, Social Warfare, lets users add social media sharing buttons to their websites. Social Warfare has an active install base of over 70,000 sites and over 805,000 downloads. Wordfence said that the most recent version of the plugin (3.5.2) was plagued by a stored cross-site scripting vulnerability. Worse, researchers have identified attacks in the wild against the vulnerability.
“The flaw allows attackers to inject malicious JavaScript code into the social share links present on a site’s posts,” said Mikey Veenstra with Wordfence in a Thursday post.
The attacks started after an “unnamed security researcher published a full disclosure” of the vulnerability earlier today, said Veenstra. There is currently no evidence that attacks started prior to today, he told Threatpost.
The plugin was consequently taken down. A notice on the WordPress plugin page for Social Warfare says “This plugin was closed on March 21, 2019 and is no longer available for download.”
Meanwhile, Social Warfare tweeted that it is aware of the vulnerability: “Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more.”
WE ARE AWARE OF A ZERO-DAY EXPLOIT AFFECTING SOCIAL WARFARE CURRENTLY BEING TAKEN ADVANTAGE OF IN THE WILD. Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more.
77 people are talking about this
At this time, Veenstra said that Wordfence will refrain from publicizing details of the flaw and the attacks against it: “At such time that the vendor makes a patch available, we will produce a follow-up post with further information,” he said.
In the meantime, Veenstra said that users should deactivate the plugin as soon as possible until a patch has been released.
PSA: The #WordPress plugin Social Warfare contains an unpatched zero-day flaw which is under active attack in the wild. @wordfence premium users have access to the WAF rule we’ve released, others should deactivate the plugin ASAP until a patch is released. https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/ …
Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social…
Social Warfare did not immediately respond to a request for comment from Threatpost.
This is not the first time WordPress has fallen victim to flaws – specifically those tied to third-party plugins. In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.
The incident comes after a separate vulnerability was disclosed and patched in a different WordPress plugin, Easy WP SMTP. This vulnerability was also under active attack and being exploited by malicious actors to establish administrative control of impacted sites, said Veestra.
“The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers,” he said.