WordPress plugin flaw lets you take over entire sites
WordPress site owners who are using the Simple Social Buttons plugin to support social media sharing features should update the plugin as soon as possible to plug a security hole that can be exploited to take over sites.
Luka Šikić, a developer and researcher at WordPress security firm WebARX, discovered the security issue last week and reported the problem to the plugin’s author.
In a report published today, he described the issue as an “improper application design flow, chained with lack of permission check.”
He says that an attacker who can register new accounts on a site can exploit this vulnerability to make modifications to a WordPress site’s main settings, outside to what the plugin was initially meant to manage.
These modifications can allow an attacker to take over sites by installing backdoors or taking over admin accounts.
In a demo video he posted on YouTube today, Šikić showed how dangerous the vulnerability is by changing the email address associated with a WordPress site’s admin account.
Šikić says he notified WPBrigade, the company behind the plugin, last week, and they released a patch a day after his report.
Users are advised to install Simple Social Buttons version 2.0.22, released last Friday, on February 8.
The issue should not be taken lightly due to its consequences. Some sites are inherently protected against this vulnerability, as their admins have already blocked user registration due to security reasons.
However, sites that let users register to post comments on blog posts are vulnerable to attacks and should apply the plugin update as soon as possible.
The plugin has been installed on more than 40,000 websites, according to statistics from the official WordPress Plugins repository, making it an attractive target for WordPress botnet operators.