Proofpoint cybersecurity experts: Hundreds of messages with links sent to recipients across multiple organizations. Cybercrime or Cyber Espionage?
Cyber security expert Luka Šikić of WebARX: WordPress has a critical vulnerability in ‘Simple Social Buttons’, that could allow attackers to modify the installation options
WordPress (WP) has a critical vulnerability in plugin ‘Simple Social Buttons’, that could allow attackers to modify the installation options. It has been discovered by the cyber security expert Luka Šikić of WebARX. The flaw is described “as an improper application design flow, chained with a lack of permission check”. This could result in privilege escalation and unauthorized actions in WordPress installation, allowing non-admin users to alter the options. According to the company’s blog, “a function would iterate through JSON object provided in the request and update all options with option_name from object key and option_value from a key value without checking whether the current user has permission to manage options or provided option_name belongs to that plugin.” The vulnerability affects plugin versions 2.0.4 and later, but luckily there is already patch to avoid the exploit.
There is a patch for the WP plugin, owners have to update it ASAP
Simple Social Buttons is a popular free and paid WordPress plugin, that brings the ability to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, popups, fly-ins. It has more than 40,000 active installations according to WP Plugin repository and over 500,000 downloads according to vendor WPBrigade. The vulnerability was discovered and reported on Feb 7, 2019, and a patched version was released just a day after, on Feb 8. But not automatically. So, if your website use this plugin, you should update it to the latest version as soon as possible. Otherwise there is a concrete risk that malicious hackers could access the options menu and hurt or even kill your digital creature.