Tag Archives: Kiwi Social Share

30 Nov 2018

Hackers Have Been Probing For Usage of the Kiwi Social Share WordPress Plugin for a Couple of Weeks

Back on the 12th we full disclosed an option update vulnerability in the plugin Kiwi Social Share and said this at the beginning of the post for that:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence. [Read more]

12 Nov 2018

Full Disclosure of Information Disclosure Vulnerability in Kiwi Social Share

While looking an option update vulnerability in the plugin Kiwi Social Share we noticed that right above the code for that vulnerability was code that causes another vulnerability. That being an information disclosure vulnerability that allows anyone to view the contents of any WordPress option (setting).

In the file /includes/lib/helpers/class-kiwi-social-share-helper.php the function kiwi_social_share_get_option() is made available through WordPress AJAX functionality whether the request is coming from someone logged in to WordPress or not: [Read more]

Plugin Vulnerabilities Posted in Vulnerability Report Information Disclosure, Kiwi Social Share, Kiwi Social Share - Social Media Share Buttons & Icons, Social Sharing Plugin – Kiwi, Vulnerability Report 1 Comment

12 Nov 2018

Full Disclosure of Option Update Vulnerability in WordPress Plugin With 30,000+ Installs

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.

Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability. [Read more]

Plugin Vulnerabilities Posted in Vulnerability Report Kiwi Social Share, Kiwi Social Share - Social Media Share Buttons & Icons, Option Update, Social Sharing Plugin – Kiwi, Vulnerability Report Leave a comment