About 42,000 websites have not updated to the latest version of the Social Warfare WordPress plugin, leaving themselves open to a pair of vulnerabilities that are being exploited in the wild.
Palo Alto’s Unit 42 research team is reporting that the two problems, both rated medium-level threats and tracked under CVE-2019-9978, were patched through a release posted on March 21. But any site that has not updated could be hit with a remote code execution or cross-site scripting attack. Versions 3.5.3 and earlier of Social Warfare, which adds social sharing buttons to websites, are at issue.
“An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital coin mining or host malicious exploit code,” Unit 42 wrote.
In tracking the threat, the researchers found five compromised sites that are actively being used for hosting malicious exploit code.
Social Warfare is the most recent WordPress plugin to find itself in the news. In the last couple of months, Yuzo Related Posts, Duplicate-Page and Easy WP SMTP were all called out for different issues.