Exploits for Social Warfare WordPress Plugin Reach Critical Mass

social warfare cyberattacks wordpress plugin

More and more attacks taking advantage of a XSS and RCE bug in the popular plugin have cropped up in the wild.

UPDATE

Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk.

The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. An attacker can use these vulnerabilities to run arbitrary PHP code and gain control the website and server, without authentication.

Once the cyberattackers have compromised a website, they can use it to perform coin-mining on site visitors, host phishing pages, drop drive-by malware or carry out ad fraud; or, they could add the WordPress installation to a botnet.

Social Warfare, which allows websites to add social sharing buttons to their pages, is vulnerable in all versions 3.5.0-3.5.2; a patch was issued on March 21 in version 3.5.3 after news of what was then a zero-day emerged. Yet many websites haven’t updated the plugin: Palo Alto Networks’ Unit 42 division said in an analysis Monday that “approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3.” These include education sites, finance sites and news sites. “Many of these sites receive high traffic,” the firm added.

A zero-day exploit was spotted shortly after the bug was disclosed, prompting the plugin to disable downloads until the updated version was released (it’s now back and available for download). Since then, according to Unit 42, the attacks have mounted in increasing numbers.

In one cluster of attacks, Unit 42 researchers found five compromised sites that are hosting malicious exploit code. It also has seen several sites with malicious JavaScript code exploiting the stored XSS vulnerability, which redirect victims to various ad sites.

“There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously,” the researchers said. “Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners.”

Buggy WordPress plugins continue to plague users of the content management system; in fact, according to a January Imperva report, almost all (98 percent) of WordPress site vulnerabilities are related to them. Just recently for instance, a plugin called Yellow Pencil Visual Theme Customizer was found being exploited in the wild after two software vulnerabilities were discovered. It has an active install base of more than 30,000 websites.

And in January, a critical vulnerability in popular WordPress plugin Simple Social Buttons was found that enables non-admin users to modify WordPress installation options – and ultimately take over websites. Simple Social Buttons also enables users to add social-media sharing buttons to various locations o their websites. That plugin has more than 40,000 active installations, according to WordPress Plugin repository.

Meanwhile, it appears that certain threat actors are specializing in taking advantage of these flaws. Researchers with Wordfence recently said that they’re “confident” that exploits for the bugs in Yellow Pencil and Social Warfare, as well as exploits for Easy WP SMTP and Yuzo Related Posts flaws, are all the work of one adversary. That’s because the IP address of the domain hosting the malicious script in the attacks is the same for the exploits in the other attacks, they said.

This post has been updated to reflect the correct number of active installs and the correct vulnerable versions of the plugin.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles

Discussion

  • Plugin Vulnerabilities on

    Your source for this story doesn't seem reliable at all. While they claim and you repeat that "all versions prior to 3.5.3" of the plugin are vulnerable, only versions 3.5.0-3.5.2 were vulnerable. That would be something that researchers could have easily checked. Their method of figuring out how many websites are using this plugin seems like it would be unneeded, since WordPress already provides a measure of active installs, which is currently 60,000+, and their method seems like it would be less accurate, That indicates they might not be all that familiar with WordPress plugins. Their claim that “most" of the websites using this are using a vulnerable version doesn't match with the stats provided on the WordPress website and the little evidence they point to actually seems to show that most are not using a vulnerable version. At best, they might be coming by that by that claim due to incorrectly assuming that versions below 3.5.0 are also vulnerable, but it looks like the "most" claim is probably not based on any real evidence.
    • Tara Seals on

      Thanks for the comment -- I'll take this back to the researchers and see what they say.
    • Tara Seals on

      Good catch here-- after I flagged your comment for Unit 42, they told me: "The blog has been updated based on the reader’s comment below: 'Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3.'” I'm updating the article as well.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.