Another day, another zero-day: WordPress Social Sharing Plugin Social Warfare under attack.

Update: a new version 3.5.3 was just released.

Another day, another zero-day.
After the critical zero-day vulnerability in the WordPress Easy WP SMTP plugin that we discovered a few days ago, we started seeing WordPress websites hacked because of a stored XSS vulnerability in the WordPress Social Sharing Plugin – Social Warfare v3.5.2 (70,000+ active installations). Hackers are currently injecting some JavaScript code into the plugin options.

A quick search returned that a full disclosure (including a POC) was published on the www.pluginvulnerabilities.com blog earlier today.

We have pushed a new set of rules for our NinjaFirewall WAF so make sure you are running the latest rules: “NinjaFirewall > Rules updates > Check For Updates Now!”. Both our free and premium users are protected against this vulnerability.
Otherwise, uninstall the plugin ASAP and wait for the fix to be published.

Hacked?

If you have been hacked, you can delete the plugin settings, which contains the offending JavaScript code, in the database with phpMyAdmin: find social_warfare_settings in your wp_options table and delete it.
As an alternative, you can uninstall the plugin, but note that it will not delete its settings.
And as usual, don’t forget to change your admin password and install a web application firewall to protect your blog.