Social Warfare plugin flaws allow both Cross-Site Scripting and Remote Code Execution

A zero-day exploit was recently discovered in the popular Social Warfare plugin which allows both Cross-Site Scripting and Remote Code Execution. The Remote Code execution problem was found by security researchers as they examined the code behind the initial attack. Both problems have been fixed in the most recent release.

This is a good example of why we update plugins (and themes and WordPress core code) as soon as a new version is released.

What does that all mean?

Zero Day exploits generally refer to a security hole in some software which someone, somewhere has found, but the software developers don’t know about it yet. They have literally had zero days to fix it.

Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Remote Code Execution The ability to trigger code execution over a network. In the case of exploits, the code is malicious code which is placed on the site by the hacker.

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/

https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/

Posted in Exploit.