Critical vulnerability in WordPress plugin Simple Social Buttons

There is a critical vulnerability in the WordPress plugin called Simple Social Buttons. The vulnerability can be used to enable a non-admin user to modify your WordPress installation and allow them to take over your website.

So what is the issue here? The researchers with WebARX stated on Monday (2-11-19) that the vulnerability results from two issues in the Simple Social Buttons plugin being how the application was coded and a lack of permission checks. This vulnerability allow any user type to change any option from the ‘wp_options’ database table, which is where the crucial configuration of a WordPress installation is located.

“Improper application design flow, chained with lack of permission check resulted in privilege-escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table,” Luka Sikic, developer and researcher with WebARX, stated on a Monday post.

Simple Social Buttons Exploit PoC by WebARX

The vulnerability, which is rated 9.1 on the CVSS v3 severity scale, was discovered on Feb. 7, and a patch was released on Feb. 8. Everyone with this plugin are critically urged to update to the latest version 2.0.22.

Discover more from Patrick Domingues

Subscribe to get the latest posts to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.