This issue is major as over 70,000 websites were found by the anonymous researcher to currently have the plugin installed. Further compounding the issue is the fact that the XSS has confirmed instances of being exploited in the wild. It is this point that Wordfence expanded on in the following statement:
The Defiant Threat Intelligence team has already identified attacks against this vulnerability, and has deployed a firewall rule to prevent its exploitation. Premium users gain immediate access to the new rule, and after a thirty-day delay it will be available to Free users. Because this vulnerability has yet to be patched, it is recommended that site administrators deactivate the plugin until a patch is released.
At this time, we are refraining from publicizing details of the flaw and the attacks against it. At such time that the vendor makes a patch available, we will produce a follow-up post with further information.
In a follow-up comment to the Wordfence article, Jason Wiser of Warfare Plugins had this to say about how the company is responding to the issue:
Our entire development team is currently working to issue a patch and hope to have it released within the hour, but in the meantime we recommend disabling Social Warfare and Social Warfare Pro on your website.
This patch, once available will be listed as version 3.5.3 and you will be able to download and apply the update even while Social Warfare and Social Warfare Pro are disabled.
This is not the first time there has been concern about a WordPress plugin. But with how popular the Social Warfare plugin is, this could have turned out to be a complete nightmare. Had this anonymous researcher not found the XSS vulnerability in time, there is no telling how great the damage would have been. XSS is one of the most classic ways that hackers attack a web application, so one has to wonder how this issue went unnoticed for so long. Nevertheless, there is now an official plan of action for users and developers alike, so in the end things worked out.
Featured image: Shutterstock