Over 40,000 websites online are using Social Warfare, a highly popular WordPress plugin that allows visitors to share content directly on their social media profiles. For a few years now, this plugin has been one of the go-to options for webmasters that want to pack their WordPress-based sites with efficient social capabilities.
Now, Social Warfare has become a serious problem for both webmasters and Internet users. A bug in this plugin led to a series of dangerous exploits from cybercriminals who can use the plugin to gain unauthorized access to websites and their hosting servers.
The Vulnerability
The identified vulnerability in older versions of the Social Warfare plugin has two flanks: a stored cross-site scripting (XSS) vulnerability and, on the other side, a remote code-execution (RCE) one.
This vulnerability opens a door for hackers to gain full control of the website by using PHP code. Any kind of authentication process becomes useless through this exploit, causing a massive risk. The reach of this problem is quite considerable, especially having in mind that the plugin is being used on high-traffic sites.
The Risks
Palo Alto’s Unit 42 division published a report on this plugin bug and its implications. According to the researchers, the plugin is installed in over 40,000 WordPress-based websites. However, it’s important to mention that only outdated versions of the plugin create the security breach for these websites and many of them probably updated it with the fixed version.
Nonetheless, there is absolute certainty that a big share of the affected websites continue to run an outdated version of the plugin, which means that they continue to be openly exposed to the problem.
Another important fact shared by the Unit 42 division is that the plugin is present on several high-profile websites that receive considerable traffic. This includes financial and educational websites.
How Hackers Are Using the Exploit For?
Now, what’s the benefit in gaining control of websites for cybercriminals? The exploit made available by Social Warfare’s vulnerabilities has allowed malicious parties to share malware with visitors, replace legitimate content with phishing pages, and access users’ devices for mining purposes.
It’s possible that the cybersecurity threats imposed by the previous versions of Social Warfare only made to the news because of its wide base of users but truth be told, using most WordPress plugins represent a huge liability as well.
An Imperva report released last January implied that over 98 percent of WordPress-based websites’ vulnerabilities are caused by plugins. This isn’t the first time a WordPress plugin created a serious security breach for both webmasters and visitors. In recent months, plugins like Simple Social Buttons and Yellow Pencil Visual Theme Customizer have had open a door for cybercriminals to take over websites and use them as channels to effectively infect users’ devices and steal information through phishing tactics.
Social Warfare has now released an updated version of the plugin and it has been told to the community that the vulnerabilities that made possible the exploit have been fixed. Yet, this event represents another precedent about the security implications of using plugins for WordPress.