Critical vulnerability in WordPress Kiwi Social Sharing plugin actively exploited.

Revision: December 8, 2018

A critical vulnerability in the WordPress WordPress Kiwi Social Sharing plugin <2.0.11 (30,000+ active installations) is currently exploited since December 6th. Similarly to the WP GDPR Compliance vulnerability, it allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website. The issue was disclosed by pluginvulnerabilities.com and was fixed on November 12th with the release of v2.0.11, but hackers are now actively exploiting it.
Here’s a sample of NinjaFirewall’s log showing the blocked hacking attempts:

       DATE         INCIDENT  LEVEL     RULE     IP            REQUEST
06/Dec/18 20:49:25  #7757463  CRITICAL  1354  104.131.115.23   POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register] 
06/Dec/18 20:49:28  #1988783  CRITICAL  1354  104.131.115.23   POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register 1] 
06/Dec/18 21:34:37  #3983063  CRITICAL  1354  85.214.219.42    POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register] 
06/Dec/18 22:24:20  #3699978  CRITICAL  1354  213.246.57.59    POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register 1] 
07/Dec/18 05:27:07  #4846613  CRITICAL  1354  178.128.240.72   POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register 1] 
07/Dec/18 11:27:16  #4846631  CRITICAL  1354  52.32.43.240     POST /wp-admin/admin-ajax.php - Attempt to modify options table - [POST:args = users_can_register] 

Update A.S.A.P. if you are running an old version of this plugin.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected. NinjaFirewall protects proactively against this type of vulnerability. In addition to blocking the attempts, NinjaFirewall will also send you a notification by email when someone tries to modify some important WordPress settings:

NinjaFirewall has blocked an attempt to modify some important WordPress settings by a user that does not have administrative privileges:

Option: Membership (users_can_register)
Original value: 0
Modified value: 1
Action taken: The attempt was blocked and the option was reversed to its original value.

You can review this option from your WordPress "Settings > General" page.

Blog: http://[REDACTED]/
User IP: 178.128.240.72
SCRIPT_FILENAME:  /var/chroot/home/content/[REDACTED]/html/wp-admin/admin-ajax.php
REQUEST_URI: /wp-admin/admin-ajax.php
Date: December 7, 2018 @ 05:27:07 (UTC +0700)

This protection (and notification) can be turned off from NinjaFirewall "Firewall Policies" page.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet