WordPress Plugin Removed After Zero Day Discovered

A popular WordPress plugin has been removed from the WordPress plugin repository after it was discovered to have a vulnerability that was being exploited in the wild.

The plugin, Social Warfare, lets users add social media sharing buttons to their websites. Social Warfare has an active install base of over 70,000 sites and over 805,000 downloads. Wordfence said that the most recent version of the plugin (3.5.2) was plagued by a stored cross-site scripting vulnerability. Worse, researchers have identified attacks in the wild against the vulnerability.

“The flaw allows attackers to inject malicious JavaScript code into the social share links present on a site’s posts,” said Mikey Veenstra with Wordfence in a Thursday post.

The attacks started after an “unnamed security researcher published a full disclosure” of the vulnerability earlier today, said Veenstra. There is currently no evidence that attacks started prior to today, he told Threatpost.

The plugin was consequently taken down. A notice on the WordPress plugin page for Social Warfare says “This plugin was closed on March 21, 2019 and is no longer available for download.”

Meanwhile, Social Warfare tweeted that it is aware of the vulnerability: “Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more.”

At this time, Veenstra said that Wordfence will refrain from publicizing details of the flaw and the attacks against it: “At such time that the vendor makes a patch available, we will produce a follow-up post with further information,” he said.

In the meantime, Veenstra said that users should deactivate the plugin as soon as possible until a patch has been released.