Social Warfare Plugin Exploit
Young Vadlapatla
The two Pastebin URLs that were still live were nearly identical. Both contained the same type of injection, at the same injection point, with the same obfuscation method, and both performed redirects in the same manner. The only difference is the redirect target.
One domain, setforconfigplease[.]com, has been on our radar for a while now, most recently in our recent research into attacks against Easy WP SMTP. The other, strangefullthiggngs[.]com, is a newcomer. In fact, it was registered today.
As shown in the diff above, all of the existing settings import code was gutted from the plugin and replaced. Additionally, new code was added which attempts to directly reverse the XSS injections that had been distributed.
Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more. Discover why over 5 million WordPress sites put their trust in Wordfence.
Yes, we (the WordPress.org plugins team) caught that mistake too, and told the authors about it. However, given the rest of the patch, and the timeline, I felt it was safe enough to ignore it for now, and to work with them to improve the security overall in a later release. Given the problem and the active exploit, fixing that was the priority.
These Cookies allow us to collect certain information about how you navigate the Sites or utilize the Services running on your device. They help us understand which areas you use and what we can do to improve them.
These Cookies are used to deliver relevant information related to the Services to an identified machine or other device (not a named or otherwise identifiable person) which has previously been used to visit our Sites. Some of these types of Cookies on our Sites are operated by third parties with our permission and are used to identify advertising sources that are effectively driving customers to our Sites.
On 21 March, researchers disclosed two vulnerabilities in Social Warfare, a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978. Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3. An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital coin mining or host malicious exploit code. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites.
In this blog post we provide new details on the root cause of the vulnerabilities, proof of concept code (PoC) to demonstrate the vulnerability, and information on attacks we observed in the wild as well as the scope of vulnerable sites.
We found about 40,000 sites that have installed this plugin, most of which are running a vulnerable version, including education sites, finance sites, and news sites. Many of these sites receive high traffic which we can see with Alexa global traffic rank in the left column in Figure 7:
There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners. Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.
The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. An attacker can use these vulnerabilities to run arbitrary PHP code and gain control the website and server, without authentication.
Once the cyberattackers have compromised a website, they can use it to perform coin-mining on site visitors, host phishing pages, drop drive-by malware or carry out ad fraud; or, they could add the WordPress installation to a botnet.
In one cluster of attacks, Unit 42 researchers found five compromised sites that are hosting malicious exploit code. It also has seen several sites with malicious JavaScript code exploiting the stored XSS vulnerability, which redirect victims to various ad sites.
Buggy WordPress plugins continue to plague users of the content management system; in fact, according to a January Imperva report, almost all (98 percent) of WordPress site vulnerabilities are related to them. Just recently for instance, a plugin called Yellow Pencil Visual Theme Customizer was found being exploited in the wild after two software vulnerabilities were discovered. It has an active install base of more than 30,000 websites.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
A significant security concern was identified in the Social Warfare plugin for WordPress, described by CVE-2019-9978. This vulnerability has been known to enable attackers to execute stored cross-site scripting (XSS) attacks through a compromised parameter. Here, we dissect the vulnerability details, impacts, and mitigation measures necessary for web administrators and users to secure their installations.
Regular Software Updates Keeping WordPress and its plugins updated is crucial for security. Updates often contain patches for vulnerabilities that could be exploited if left unpatched.
Enhanced Input Sanitization Employ stringent input validation and sanitization to prevent malicious data from affecting the website. Plugins should be coded to explicitly reject unexpected inputs.
User Education and Awareness Educate users on the risks associated with XSS attacks and the importance of using secure practices, such as not clicking on unknown links and regularly updating their browser software.
CVE-2019-9978 underscores the continuous need for vigilance and proactive security measures in managing WordPress sites, particularly concerning widely-used plugins like Social Warfare. By understanding the nature of this XSS vulnerability and implementing suggested mitigation strategies, website administrators can significantly bolster their defenses against potential attacks.
For further support and advanced security solutions, connect with Datacipher. Our cybersecurity experts are equipped to help you secure your digital platforms against a broad spectrum of security threats.
A critical security flaw, CVE-2021-27561, has been identified in the Yealink Device Management system, which could potentially allow unauthenticated attackers to perform remote code execution via a server-side request forgery
A severe vulnerability in Zoho ManageEngine ADSelfService Plus, identified as CVE-2021-40539, has come to light, impacting all versions up to 6113. This security flaw allows attackers to bypass authentication mechanisms
A zero-day vulnerability in WordPress plugins is a security flaw that is unknown to the plugin developers and is actively exploited by attackers. These vulnerabilities can be extremely dangerous as they can allow unauthorized access to WordPress sites, remote code execution, and data breaches.
According to the information provided in the document and web search sources, there have been several zero-day vulnerabilities in WordPress plugins over the past few years. For example, the File Manager plugin, which has over 700,000 active installs, was found to have a critical zero-day vulnerability in 2020 that allowed unauthenticated users to upload malicious files and perform remote code execution. Similarly, the Fancy Product Designer plugin, which is installed on over 17,000 sites, was found to have a critical new zero-day vulnerability in 2022 that was actively exploited in the wild.
In addition to plugin vulnerabilities, there have also been zero-day vulnerabilities in the WordPress core software. For example, a zero-day vulnerability in the PHPMailer library, which is used to send emails from WordPress, was discovered in 2023 that affected the WordPress core software.
Our team is actively tracking attacks against this flaw, and will produce more details as soon as we feel is responsible. In the meantime, please consider sharing this public service announcement to other WordPress users who may not know of these new risk factors.
c80f0f1006