A recently discovered vulnerability found in the plugin named “Simple Social Buttons,” lets others gain control of your entire website.
The “Simple Social Buttons” plugin currently has an install base of more than 40,000 WordPress sites. And website owners are advised to update the plugin as soon as possible to fix a security issue that can allow others to take control of the entire site.
Developer and researcher from WordPress security firm WebARX, Luka Šikić, has discovered the security hole recently and has already reported the problem to the plugin’s author.
In a report published on the WebARX website, Šikić described the issue as an “improper application design flow, chained with lack of permission check.”
Attackers are be able to register new accounts on the affected website and can exploit this vulnerability to gain complete control of the website. By having access to the WordPress site’s main settings, hackers can then install backdoors or take over admin accounts.
The researcher also posted a demo video on Youtube and showed just how exactly dangerous this security flaw from the “Simple Social Buttons” plugin by changing the email address associated with a WordPress site’s admin account.
WPBrigade, the company behind the plugin, has already released a patch a day after this report and users are advised to update the Simple Social Buttons plugin to version 2.0.22.
Having a install base of 40,000 website makes this security flaw a good target for WordPress botnet operators.
Update: Sites that block user registration are protected against this vulnerability, while sites that let users register on the site are vulnerable to this security flaw and should update the plugin as soon as possible.
Image Source: WordPress