WordPress plugin Social Warfare removed due to major vulnerability

According to a post on the WordPress security news website Wordfence, the popular WordPress social sharing plugin Social Warfare has been removed from the plugin repository due to a cross-site-scripting exploit. The stored XSS discovery was made by an unnamed researcher who published findings that showed the flaw being able to inject malicious JavaScript code into the social media share links that are usually found on blog posts.

This issue is major as over 70,000 websites were found by the anonymous researcher to currently have the plugin installed. Further compounding the issue is the fact that the XSS has confirmed instances of being exploited in the wild. It is this point that Wordfence expanded on in the following statement:

The Defiant Threat Intelligence team has already identified attacks against this vulnerability, and has deployed a firewall rule to prevent its exploitation. Premium users gain immediate access to the new rule, and after a thirty-day delay it will be available to Free users. Because this vulnerability has yet to be patched, it is recommended that site administrators deactivate the plugin until a patch is released.

At this time, we are refraining from publicizing details of the flaw and the attacks against it. At such time that the vendor makes a patch available, we will produce a follow-up post with further information.

In a follow-up comment to the Wordfence article, Jason Wiser of Warfare Plugins had this to say about how the company is responding to the issue:

Our entire development team is currently working to issue a patch and hope to have it released within the hour, but in the meantime we recommend disabling Social Warfare and Social Warfare Pro on your website.

This patch, once available will be listed as version 3.5.3 and you will be able to download and apply the update even while Social Warfare and Social Warfare Pro are disabled.

Wiser directed users check its support page and Twitter for “up to the minute updates on this issue.”

This is not the first time there has been concern about a WordPress plugin. But with how popular the Social Warfare plugin is, this could have turned out to be a complete nightmare. Had this anonymous researcher not found the XSS vulnerability in time, there is no telling how great the damage would have been. XSS is one of the most classic ways that hackers attack a web application, so one has to wonder how this issue went unnoticed for so long. Nevertheless, there is now an official plan of action for users and developers alike, so in the end things worked out.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

12 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

16 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

19 hours ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

2 days ago