Tag Archives: Social Warfare

Plugin Security Scorecard Grade for Social Warfare

Checked on September 23, 2024

See issues causing the plugin to get less than A+ grade

24 Apr 2019

Threatpost Spreads Inaccurate Information on Exploited WordPress Plugin Vulnerability from Palo Alto’s Unit 42

We often incorrectly get referred to as security researchers, something we have never claimed to be. Considering the quality of a lot of security research there might be good reason to avoid that title. One such example we just ran across also provides yet another example of the bad security journalism going on with WordPress plugin vulnerabilities. We thought we would write a quick post about it since we took a few minutes to look into the claims and what we found seems worth noting.

Yesterday we were notified through a Google alert to a Threatpost story “Exploits for Social Warfare WordPress Plugin Reach Critical Mass”, which seemed odd since the main vulnerability, which we discovered, was widely exploited a while ago, so critical mass has likely long since past. [Read more]

Plugin Vulnerabilities Posted in Analysis Analysis, Palo Alto, Social Warfare, Threatpost, Unit 42 Leave a comment

25 Mar 2019

There is Also an Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Social Warfare

Last week through our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we found a vulnerability that would be likely to be exploited in the plugin Social Warfare, which has 70,000+ active installations according to wordpress.org. Due the continued unwillingness of Matt Mullenweg or anyone on the WordPress team to rein in the inappropriate behavior of the moderators of the WordPress Support Forum the vulnerability got full disclosed and a lot of websites got hacked when they didn’t need to. The plugin was removed from the Plugin Directory after our disclosure and subsequently restored with the vulnerability removed, but the insecure code that surrounded it remained unchanged. That seems like something that team running the Plugin Directory should have caught since our post went through what the insecure code was, but they don’t seem to have a great grasp of security, which the inappropriate behavior of the moderators of the Support Forum helps to hide.

To give us a better understanding of the how secure or insecure in general a plugin that had such an easily spotted serious vulnerability is, we did some more checking over the plugin. What we found is that the code had numerous security issues and there clearly wasn’t a consistent handling of security in the plugin. The code also seems like it is need of cleanup, as in one place we found insecure code that appears to relate to functionality that isn’t even active in the plugin anymore. [Read more]

Plugin Vulnerabilities Posted in Vulnerability Report Authenticated Persistent Cross-Site Scripting (XSS), Social Warfare, Vulnerability Report Leave a comment

22 Mar 2019

WordPress Plugin Developers and Users Should Be Proactive, Not Reactive, About the Security of Them

This week the WordPress plugins Easy WP SMTP and Social Warfare had vulnerabilities, which have now been fixed, widely exploited. In both cases the vulnerabilities were not due to obscure issues that no one had ever heard of before, but they were due to the failure to do security basics. In the case of both plugins, even after having vulnerabilities exploited, the developers still haven’t fully fixed up the security of the code related the vulnerabilities (and the WordPress team has allowed them to remain in the Plugin Directory despite that).

Both plugins have started picking up quite a few negative reviews since the exploitation. [Read more]

Plugin Vulnerabilities Posted in Analysis Analysis, Easy WP SMTP, Social Warfare Leave a comment

22 Mar 2019

Closures of Very Popular WordPress Plugins, Week of March 22

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and one of those has been reopened, despite the reason for its removal not being fully resolved. [Read more]

Plugin Vulnerabilities Posted in Closed Plugins Closed Plugins, Font Organizer, Social Warfare Leave a comment

22 Mar 2019

Social Warfare Is Still Insecure

On Monday we noted that WordPress team had missed that the plugin Easy WP SMTP still contained vulnerabilities due to code related to the code that has been widely exploited this week. We tried to notify the developer of the plugin of that through a message on the WordPress Support Forum, but the moderators blocked that, so the WordPress team has been aware of that they missed those vulnerabilities for four days and yet they haven’t done anything about that. Using the moderation of the Support Forum to hide that there are problems with WordPress’ handling of security instead of working to resolve them is exactly kind of thing that led us back in September to start full disclosing vulnerabilities until the moderation of the forum is cleaned up.

You might think that someone on the WordPress side of things would have gotten the moderation cleaned up by now, since that by itself would make things better for the WordPress community, but would also stop those full disclosures, but that still hasn’t happened. That had dire consequences yesterday as a vulnerability we found in the plugin Social Warfare through our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities was widely exploited after we disclosed it. [Read more]

Plugin Vulnerabilities Posted in Analysis Analysis, Social Warfare 2 Comments

21 Mar 2019

Full Disclosure of Settings Change/Persistent Cross-Site Scripting (XSS) Vulnerability in Social Warfare

With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we review a lot of code that ends up not being vulnerable, so even if the flagged code looks rather concerning it doesn’t raise a lot of concern at first for us even, if like the code flagged in the plugin Social Warfare, which we will get to in a moment, indicates there might be a very serious vulnerability. When we checked over the rest code related to the flagged code with that plugin we found that the plugin allows anyone to change the plugin’s settings and that could be used to cause persistent cross-site scripting (XSS), which is just the sort of vulnerability hackers have shown a lot of interest in recently. The plugin has 70,000+ active installations according to wordpress.org, which makes it all the more likely that would be exploited.

Our Plugin Security Checker flags the same code as possibly being vulnerable, though it gets flagged by that for a less serious issue, server-side request forgery (SSRF). [Read more]

Plugin Vulnerabilities Posted in Vulnerability Report Persistent Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Settings Change, Social Warfare, Vulnerability Report Leave a comment