- A critical vulnerability in WordPress plugin ‘Simple Social Buttons’ could allow attackers to modify WordPress installation options.
- The security flaw is described as an improper application design flow chained with a lack of permission check.
WordPress plugin Simple Social Buttons is a popular free and paid plugin that allows adding social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, popups, fly-ins. This plugin has been installed on more than 40,000 WordPress sites.
Luka Šikić, a developer and researcher at WordPress security firm WebARX, discovered a critical security vulnerability in the WordPress plugin ‘Simple Social Buttons’. This vulnerability could allow attackers to modify WordPress installation options.
More details on the vulnerability
Šikić described the security flaw as “an improper application design flow chained with a lack of permission check”. He described that the improper application design flow along with a lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users to alter WordPress installation options.
“A function would iterate through JSON object provided in the request and update all options with option_name from object key and option_value from a key value without checking whether the current user has permission to manage options or provided option_name belongs to that plugin,” Šikić explained in a blog.
Šikić noted that the vulnerability affects plugin versions 2.0.4 and later. The security researcher also posted a demo video on YouTube describing the vulnerability.
Patched version 2.0.22 released
Šikić reported the vulnerability to WPBrigade, the company behind the ‘Simple Social Buttons’ WordPress plugin on February 7, 2019. Upon learning about the vulnerability, WPBrigade immediately released a patched version on February 8, 2019.
The researcher advised users to update to the latest version (2.0.22) of the ‘Simple Social Buttons’ WordPress plugin to avoid the exploit.