Vulnerability found in the “Simple Social Buttons” social sharing plugin installed on more than 40,000 WordPress sites. WordPress site owners who use the plugin Simple Social Buttons to support the sharing of social media should update the plugin as soon as possible to plug a security hole that can be used to take over sites.
Luka Šikić, a developer and researcher at WordPress security company WebARX, discovered the security problem last week and told the plugin’s author about the problem.
In a report published today, he described the problem as “an improper application design flow chained with a lack of permission checks.” He says an attacker who can register new accounts on a site can use this vulnerability to make changes to the main settings of a WordPress site, outside what the plugin was originally intended to manage.
These changes can allow an attacker to install backdoors or take over admin accounts to take over sites. Šikić showed in a demo video he posted on YouTube today how dangerous the vulnerability is by changing the email address associated with the admin account of a WordPress site.
Šikić says last week he notified WPBrigade, the company behind the plugin, and a day after his report they released a patch. Users are advised to install version 2.0.22 of Simple Social Buttons, released on February 8 last Friday. Because of its consequences, the problem should not be taken lightly.
Some sites are protected against this vulnerability inherently, as their admins have already blocked user registration for security reasons. However, sites that allow users to register to post comments on blog posts are vulnerable to attacks and should be used as soon as possible to update the plugin.
According to statistics from the official WordPress Plugins repository, the plugin has been installed on more than 40,000 websites, making it an attractive target for WordPress botnet operators.