Multiple Vulnerabilities in WordPress Social Warfare Plugin Could Allow for Remote Code Execution

Multiple Vulnerabilities in WordPress Social Warfare Plugin Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2019-037

DATE(S) ISSUED:

04/01/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in the WordPress Social Warfare Plugin, the most severe of which could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the Social Warfare Plugin allows users to add social sharing buttons to their content. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution with elevated privileges.

THREAT INTELLIGENCE:

Wordfence has not yet observed RCE activity, but expects new attacks based on the details of the vulnerabilities being published. The developers of the plugin confirmed active exploitation of the plugin’s stored cross site scripting vulnerability in the wild in March 2019.

SYSTEMS AFFECTED:

  • • WordPress Social Warfare Plugin versions 3.5.1 and 3.5.2

RISK:

Government:

  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:

  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:

LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in the WordPress Social Warfare Plugin, the most severe of which could allow for remote code execution. This vulnerability exists because the site configuration migration script directly executes attacker-controlled options as PHP code through the use of the PHP eval() function. An unauthenticated attacker can control the options by submitting a request to the script referencing a malicious configuration file. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution with elevated privileges that could allow the attacker to add administrative users, backdoors, execute system commands, or perform other malicious activity.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by WordPress manually to affected systems, immediately after appropriate testing.

  • Apply the Principle of Least Privilege to all systems and services.

  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.

REFERENCES:

WordPress:

https://wordpress.org/plugins/social-warfare/

Technical Details:

https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
https://www.wordfence.com/blog/2019/03/social-warfare-plugin-zero-day-details-and-attack-data/

More information
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-wordpress-socia…