Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.
Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.
In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.