WordPress plugin Social Warfare removed due to major vulnerability

According to a post on the WordPress security news website Wordfence, the popular WordPress social sharing plugin Social Warfare has been removed from the plugin repository due to a cross-site-scripting exploit. The stored XSS discovery was made by an unnamed researcher who published findings that showed the flaw being able to inject malicious JavaScript code into the social media share links that are usually found on blog posts.

This issue is major as over 70,000 websites were found by the anonymous researcher to currently have the plugin installed. Further compounding the issue is the fact that the XSS has confirmed instances of being exploited in the wild. It is this point that Wordfence expanded on in the following statement:

The Defiant Threat Intelligence team has already identified attacks against this vulnerability, and has deployed a firewall rule to prevent its exploitation. Premium users gain immediate access to the new rule, and after a thirty-day delay it will be available to Free users. Because this vulnerability has yet to be patched, it is recommended that site administrators deactivate the plugin until a patch is released.

At this time, we are refraining from publicizing details of the flaw and the attacks against it. At such time that the vendor makes a patch available, we will produce a follow-up post with further information.

In a follow-up comment to the Wordfence article, Jason Wiser of Warfare Plugins had this to say about how the company is responding to the issue:

Our entire development team is currently working to issue a patch and hope to have it released within the hour, but in the meantime we recommend disabling Social Warfare and Social Warfare Pro on your website.

This patch, once available will be listed as version 3.5.3 and you will be able to download and apply the update even while Social Warfare and Social Warfare Pro are disabled.

Wiser directed users check its support page and Twitter for “up to the minute updates on this issue.”

This is not the first time there has been concern about a WordPress plugin. But with how popular the Social Warfare plugin is, this could have turned out to be a complete nightmare. Had this anonymous researcher not found the XSS vulnerability in time, there is no telling how great the damage would have been. XSS is one of the most classic ways that hackers attack a web application, so one has to wonder how this issue went unnoticed for so long. Nevertheless, there is now an official plan of action for users and developers alike, so in the end things worked out.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

1 day ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

1 day ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

1 day ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

2 days ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

2 days ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

2 days ago