A new vulnerability has been found in WordPress where the Simple Social Buttons plugin used to support social media sharing features can be exploited by non-admin users to take control over the entire website. Those users using this plugin must update it at the earliest.
The Simple Social Buttons plugin is a popular free and paid plugin that allows to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, popups, fly-ins etc.
The vulnerability was discovered by a developer and researcher at WordPress security firm WebARX, Luka Sikic who had reported the issue to the plugin’s author.
He states that the issue is an improper application design flow, chained with lack of permission check. An attacker who registers a new account on a site can exploit this flaw to alter the WordPress site’s main settings, other than what the plugin was originally meant to do. Once these modifications are done, the attacker can take complete control over the site by installing backdoors or taking over admin accounts.
The below demo video which the researcher has posted, shows how dangerous the vulnerability is by changing the email address associated with a WordPress site’s admin account.
Sikic has reported the issue to WPBrigade which is the company behind the plugin for which they have issued a patch immediately. All the users are recommended to install Simple Social Buttons version 2.0.22 that was released on February 8.
The flaw has serious consequences where non-admin users, even subscriber user can modify WordPress installation options and so it might be considered seriously. Some sites that make use of this plugin are protected properly as their administrators have already blocked user registration as a security measure.
But those sites that allows the users to register to post comments on blog posts are vulnerable to attacks and must apply the plugin update as soon as possible.
As per the statistics from the official WordPress Plugins repository, this plugin was installed in more than 40,000 websites which makes it an easy target for WordPress botnet operators.