[BreachExchange] Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70, 000 Websites

Destry Winant destry at riskbasedsecurity.com
Wed Mar 27 09:13:12 EDT 2019


Researchers found out that "Social Warfare", a social sharing plug-in
powered by Warfare Plugins is infected with a critical Stored XSS
Zero-day flaw which allows cybercriminals to place malicious scripts
and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used
to accumulate more website traffic by receiving more social shares for
website developers.

Amidst some of the plugins debugging features, the plug-in carries an
exploitable code which assists the payload in being stored in the
website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used
anywhere and rely on various $_GET parameters to be executed, which
makes it easy to see if your site was attacked using this

The exploit which was rampantly distributed across the globe is a
critical flaw that has allowed hackers to entirely gain control of the
ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from
over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the
attacks are likely to multiply if the flaw is left unpatched.
Meanwhile, users are advised by the experts to get an update to
version 3.5.3.

More information about the BreachExchange mailing list