UPDATE
Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk.
The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. An attacker can use these vulnerabilities to run arbitrary PHP code and gain control the website and server, without authentication.
Once the cyberattackers have compromised a website, they can use it to perform coin-mining on site visitors, host phishing pages, drop drive-by malware or carry out ad fraud; or, they could add the WordPress installation to a botnet.
Social Warfare, which allows websites to add social sharing buttons to their pages, is vulnerable in all versions 3.5.0-3.5.2; a patch was issued on March 21 in version 3.5.3 after news of what was then a zero-day emerged. Yet many websites haven’t updated the plugin: Palo Alto Networks’ Unit 42 division said in an analysis Monday that “approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3.” These include education sites, finance sites and news sites. “Many of these sites receive high traffic,” the firm added.
A zero-day exploit was spotted shortly after the bug was disclosed, prompting the plugin to disable downloads until the updated version was released (it’s now back and available for download). Since then, according to Unit 42, the attacks have mounted in increasing numbers.
In one cluster of attacks, Unit 42 researchers found five compromised sites that are hosting malicious exploit code. It also has seen several sites with malicious JavaScript code exploiting the stored XSS vulnerability, which redirect victims to various ad sites.
“There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously,” the researchers said. “Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners.”
Buggy WordPress plugins continue to plague users of the content management system; in fact, according to a January Imperva report, almost all (98 percent) of WordPress site vulnerabilities are related to them. Just recently for instance, a plugin called Yellow Pencil Visual Theme Customizer was found being exploited in the wild after two software vulnerabilities were discovered. It has an active install base of more than 30,000 websites.
And in January, a critical vulnerability in popular WordPress plugin Simple Social Buttons was found that enables non-admin users to modify WordPress installation options – and ultimately take over websites. Simple Social Buttons also enables users to add social-media sharing buttons to various locations o their websites. That plugin has more than 40,000 active installations, according to WordPress Plugin repository.
Meanwhile, it appears that certain threat actors are specializing in taking advantage of these flaws. Researchers with Wordfence recently said that they’re “confident” that exploits for the bugs in Yellow Pencil and Social Warfare, as well as exploits for Easy WP SMTP and Yuzo Related Posts flaws, are all the work of one adversary. That’s because the IP address of the domain hosting the malicious script in the attacks is the same for the exploits in the other attacks, they said.
This post has been updated to reflect the correct number of active installs and the correct vulnerable versions of the plugin.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.