Exploits for Social Warfare WordPress Plugin Reach Vital Mass

Exploits for Social Warfare WordPress Plugin Reach Vital Mass

More and more attacks taking advantage of a XSS and RCE bug in the popular plugin have cropped up in the wild. UPDATE Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk. The vulnerability, CVE-2019-9978, tracks…

More and more attacks making the most of a XSS and RCE bug in the popular plugin have actually emerged in the wild.


Active exploits for a recently revealed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild– possibly putting more than 40,000 websites at danger.

The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. An assailant can use these vulnerabilities to run arbitrary PHP code and gain manage the site and server, without authentication.

Once the cyberattackers have compromised a website, they can use it to perform coin-mining on site visitors, host phishing pages, drop drive-by malware or perform advertisement fraud; or, they could include the WordPress setup to a botnet

Social Warfare, which enables websites to include social sharing buttons to their pages, is vulnerable in all versions 3.5.0-3.5.2; a patch was issued on March 21 in variation 3.5.3 after news of what was then a zero-day emerged. Yet lots of websites have not upgraded the plugin: Palo Alto Networks’ Unit 42 department said in an analysis Monday that “approximately 60,000 active setups were discovered at the time of composing which are potentially susceptible until they update to 3.5.3.” These consist of education sites, finance sites and news websites. “Numerous of these sites get high traffic,” the company included.

A zero-day make use of was spotted shortly after the bug was disclosed, triggering the plugin to disable downloads up until the upgraded version was launched (it’s now back and offered for download). Since then, according to Unit 42, the attacks have actually mounted in increasing numbers.

In one cluster of attacks, System 42 researchers discovered five compromised sites that are hosting harmful make use of code. It also has actually seen numerous sites with destructive JavaScript code exploiting the saved XSS vulnerability, which reroute victims to different ad websites.

” There are numerous exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously,” the researchers said. “Because over 75 million sites are utilizing WordPress and a number of the high traffic WordPress websites are utilizing the Social Warfare plugin, the users of those sites could be exposed to malware, phishing pages or miners.”

Buggy WordPress plugins continue to plague users of the material management system; in reality, according to a January Imperva report, nearly all (98 percent) of WordPress website vulnerabilities relate to them. Simply just recently for example, a plugin called Yellow Pencil Visual Style Customizer was found being exploited in the wild after two software vulnerabilities were found. It has an active install base of more than 30,000 websites.

And in January, a critical vulnerability in popular WordPress plugin Easy Social Buttons was discovered that allows non-admin users to modify WordPress installation choices– and eventually take control of websites. Simple Social Buttons also allows users to add social-media sharing buttons to various locations o their websites. That plugin has more than 40,000 active installations, according to WordPress Plugin repository.

On the other hand, it appears that specific risk stars are focusing on making the most of these defects. Scientists with Wordfence just recently said that they’re “positive” that exploits for the bugs in Yellow Pencil and Social Warfare, as well as exploits for Easy WP SMTP and Yuzo Related Posts defects, are all the work of one adversary. That’s because the IP address of the domain hosting the destructive script in the attacks is the very same for the exploits in the other attacks, they stated.

This post has actually been updated to reflect the correct variety of active installs and the correct susceptible variations of the plugin.

Do not miss our complimentary Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of professionals will sign up with Threatpost senior editor Tara Seals to talk about how to lock down information when the conventional network boundary is no longer in location. They will discuss how the adoption of cloud services provides brand-new security challenges, consisting of ideas and best practices for locking down this new architecture; whether handled or in-house security is the way to go; and supplementary measurements, like SD-WAN and IaaS.

Check Out More

Please follow and like us:

Leave a Reply

Your email address will not be published.


Enjoy this blog? Please spread the word :)