The vulnerability in the WordPress plugin has been fixed with the release of the 3.5.3 version of the plugin.
Vulnerable versions of the Social Warfare plugin are currently installed on more than 70,000 websites. The plugin was temporarily removed from the WordPress plugin store and was later added again after the zero-day flaw has been addressed.
“Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites.” reads the analysis published by WordPress security firm Wordfence.
The development team at Social Warfare confirmed that threat actors are actively exploiting the zero-day flaw in attacks in the wild.
Users that for some reason could not update the Social Warfare plugin have to disable it.
The plugin’s download history info shows that there were roughly 21K downloads recorded after the disclosure of the zero-day, this means that that are tens of thousands of websites still running vulnerable versions.
In the same hours of the disclosure of the Social Warfare flaw, another
(SecurityAffairs – WordPress plugin, Social Warfare)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.