Patrick Domingues

There is a critical vulnerability in the WordPress plugin called Simple Social Buttons. The vulnerability can be used to enable a non-admin user to modify your WordPress installation and allow them to take over your website.

So what is the issue here? The researchers with WebARX stated on Monday (2-11-19) that the vulnerability results from two issues in the Simple Social Buttons plugin being how the application was coded and a lack of permission checks. This vulnerability allow any user type to change any option from the ‘wp_options’ database table, which is where the crucial configuration of a WordPress installation is located.

“Improper application design flow, chained with lack of permission check resulted in privilege-escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table,” Luka Sikic, developer and researcher with WebARX, stated on a Monday post.

The vulnerability, which is rated 9.1 on the CVSS v3 severity scale, was discovered on Feb. 7, and a patch was released on Feb. 8. Everyone with this plugin are critically urged to update to the latest version 2.0.22.

• Fixing WebView2 Issues on ARM64: Why Outlook and Teams Keep Breaking (and How to Fix Them)
• How to Enable Auto Recording & Transcription in Microsoft Teams and Assign Meeting Policies to All Users
• How to Install SentinelOne on Ubuntu 24.04
• How to Completely Remove SentinelOne from Ubuntu 24.04
• PowerShell Script to Force Uninstall Umbrella Roaming Client

Patrick Domingues

See Full Bio