Social Warfare <= 3.5.2 – Unauthenticated Arbitrary Settings Update | CVE 2019-9978

Description

Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field.

When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites.

Deactivating the plugin disables the redirect, but the malicious eval() is still in the database.

The plugin has been pulled from the WordPress repository.

https://wordpress.org/support/topic/malware-into-new-update/

So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.

Affects Plugins

social-warfare

Fixed in 3.5.3

References

CVE

CVE-2019-9978

URL

https://wordpress.org/support/topic/malware-into-new-update/

URL

https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/

URL

https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/

URL

https://twitter.com/warfareplugins/status/1108826025188909057

URL

https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/

Miscellaneous

Submitter

Andrew Wilder

Submitter website

https://www.nerdpress.net

Submitter twitter

@nerdpress

Verified

WPVDB ID

32085d2d-1235-42b4-baeb-bc43172a4972

Timeline

Publicly Published

2019-03-21 (about 6 years ago)

Added

2019-03-21 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2021-09-13

Title

WooCommerce Multi Currency < 2.1.18 - Authenticated Product Price Change

Published

2020-02-29

Title

Booked < 2.2.6 - Broken Authentication to Export Users Data in CSV

Published

2024-08-30

Title

WP Cerber Security < 9.5 - IP Protection Bypass

Published

2014-08-01

Title

blogVault 1.08 - Missing Account Empty Secret Key Generation

Published

2022-04-07

Title

SiteGround Security < 1.2.6 - Authentication Bypass via 2-FA Authentication Setup