WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update

Description

Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field.

When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites.

Deactivating the plugin disables the redirect, but the malicious eval() is still in the database.

The plugin has been pulled from the WordPress repository.

https://wordpress.org/support/topic/malware-into-new-update/

So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.

Affects Plugins

social-warfare
Fixed in version 3.5.3

References

CVE
CVE-2019-9978
URL
https://wordpress.org/support/topic/malware-into-new-update/
URL
https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
URL
https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
URL
https://twitter.com/warfareplugins/status/1108826025188909057
URL
https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/

Classification

Type

BYPASS

Miscellaneous

Submitter

Andrew Wilder

Submitter website
https://www.nerdpress.net
Submitter twitter
@nerdpress
Verified

No

WPVDB ID
32085d2d-1235-42b4-baeb-bc43172a4972

Timeline

Publicly Published

2019-03-21 (about 3 years ago)

Added

2019-03-21 (about 3 years ago)

Last Updated

2020-09-22 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin