Two critical security vulnerabilities found in the social media sharing plugin was actively exploited by the hackers to take control over WordPress websites which are still using the vulnerable version of the plugin.
The plugin mentioned here is the the popular and largely used WordPress plugin called Social Warfare that has been downloaded more than 900,000 downloads. This plugin is used to add social share buttons to a WordPress website or blog.
The developers of Social Warfare for WordPress have released an updated version 3.5.3 of their plugin last month which patches two security vulnerabilities in it. They are the stored cross-site scripting (XSS) and remote code execution (RCE) which are tracked by a single identifier namely CVE-2019-9978.
These flaws can be actively exploited by attackers to run arbitrary PHP code and attain total control over websites and servers without the need of any kinds of authentication. The compromised sites can then be used to perform digital coin mining or host malicious exploit code.
When the patched plugin of the Social Warfare was released, an unnamed security researcher published a full disclosure and a proof-of-concept for the stored Cross-Site Scripting (XSS) vulnerability.
But now the security researchers at Palo Alto Network Unit 42 has found that there are many exploits taking advantage of these vulnerabilities in the wild. This also includes an exploit for the RCE vulnerability that permits a hacker to control the affected website and an exploit for the XSS vulnerability which redirects victims to an ads site.
The vulnerabilities occurred due to improper input handling, using a wrong, insufficient function and so this has made it possible for remote attackers to exploit them without the need of any authentication.
At present it is found that more than 37,000 WordPress websites out of 42,000 active sites are still using the old vulnerable version of the Social Warfare plugin. The affected sites include education, finance, and many news sites risking millions of their site visitors of being hacked.
Since the attackers might still continue to exploit the vulnerabilities the WordPress website administrators are highly recommended to update the Social Warfare plugin to 3.5.3 or newer version at the earliest.