WordPress plugin patches flaw that gave hackers potential access to 40,000 websites
A new vulnerability in a popular WordPress plugin could allow outsiders who exploit the flaw to take control of a website, according to new research.
Luka Šikić, who works as a security developer at WebARX, published a report Monday revealing the bug in the Simple Social Buttons plugin, which more than 40,000 websites use to distribute their content on Facebook, Twitter and others. The problem would allow hackers to modify a WordPress site’s settings in a way plugin developers did not intend.
WPBrigade, the firm that developed Simple Social Buttons, patched the flaw in the 2.0.22 software update, which was released Friday. Šikić said he informed WPBrigade about the vulnerability on Feb. 7, and that the company fixed the issue within a day.
“If your website uses the WordPress plugin ‘Simple Social Buttons,’ you should update it to the latest version as soon as possible,” WebARX said in a blog post detailing the findings.
WebARX’s research comes just weeks after an unrelated incident in which a former employee hacked the website of WPML, another popular WordPress plugin that allows WordPress operators to run their websites in different language. In that case, WPML said the former employee used inside information and a hidden vulnerability to send spam to WPML clients.
In another case last year, hackers exploited a bug in the plugin WP GDPR Compliance to create their own administrator accounts on WordPress websites.
The sheer popularity of the WordPress content management system makes websites hosted there an alluring hacking target. Of the roughly 182 million websites active online, according to the internet research company Netcraft, some 60 million of those are WordPress, W3Techs data says. By infiltrating one component of the WordPress environment, attackers could leverage that vulnerability into many others.