Patrick Domingues

There is a critical vulnerability in the WordPress plugin called Simple Social Buttons. The vulnerability can be used to enable a non-admin user to modify your WordPress installation and allow them to take over your website.

So what is the issue here? The researchers with WebARX stated on Monday (2-11-19) that the vulnerability results from two issues in the Simple Social Buttons plugin being how the application was coded and a lack of permission checks. This vulnerability allow any user type to change any option from the ‘wp_options’ database table, which is where the crucial configuration of a WordPress installation is located.

“Improper application design flow, chained with lack of permission check resulted in privilege-escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table,” Luka Sikic, developer and researcher with WebARX, stated on a Monday post.

The vulnerability, which is rated 9.1 on the CVSS v3 severity scale, was discovered on Feb. 7, and a patch was released on Feb. 8. Everyone with this plugin are critically urged to update to the latest version 2.0.22.

• How to Install SentinelOne on Ubuntu 24.04
• How to Completely Remove SentinelOne from Ubuntu 24.04
• PowerShell Script to Force Uninstall Umbrella Roaming Client
• How to Install Moodle on a Ubuntu 24.04 VPS with a Scripted Guide
• Automating System Updates with Unattended-Upgrades on Ubuntu

Patrick Domingues

See Full Bio