Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.
Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability.
Earlier today we had a couple of requests on this website that look like they came from a hacker probing for usage of the plugin, as they twice made requests for a file from the plugin, /wp-content/plugins/kiwi-social-share/assets/js/kiwi.min.js. The hacker also requested files to check usage of WP GDPR Compliance, /wp-content/plugins/wp-gdpr-compliance/assets/js/admin.js, and Ultimate Member, /wp-content/plugins/ultimate-member/assets/js/um-scripts.js. The check for Ultimate Member would likely be related to trying to exploit a vulnerability fixed back in August.
In checking abuseipdb.com for other similar hacker probing, we found that an IP address used for malicious activity had done probing for a different file form the plugin back on November 15th.
We would say this would make people on the WordPress side of things reconsider their actions, but it seems like they may want WordPress websites to get hacked.