Multiple Vulnerabilities in WordPress Social Warfare Plugin Could Allow for Remote Code Execution

ITS Advisory Number: 
2019-037
Date(s) Issued: 
Tuesday, April 2, 2019
Subject: 
Multiple Vulnerabilities in WordPress Social Warfare Plugin Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the WordPress Social Warfare Plugin, the most severe of which could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the Social Warfare Plugin allows users to add social sharing buttons to their content. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution with elevated privileges.

 

THREAT INTELLIGENCE:

Wordfence has not yet observed RCE activity, but expects new attacks based on the details of the vulnerabilities being published. The developers of the plugin confirmed active exploitation of the plugin's stored cross site scripting vulnerability in the wild in March 2019

Systems Affected: 
  • WordPress Social Warfare Plugin versions 3.5.1 and 3.5.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in the WordPress Social Warfare Plugin, the most severe of which could allow for remote code execution. This vulnerability exists because the site configuration migration script directly executes attacker-controlled options as PHP code through the use of the PHP eval() function. An unauthenticated attacker can control the options by submitting a request to the script referencing a malicious configuration file. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution with elevated privileges that could allow the attacker to add administrative users, backdoors, execute system commands, or perform other malicious activity.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply updates provided by WordPress manually to affected systems.
  • Apply the Principle of Least Privilege to all systems and services. 
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.