WordPress site owners who use the “Simple Social Buttons” plugin to support social network sharing features should update it as soon as possible to plug a security hole that can be exploited to take control of sites;
Luka Šikić, a developer and researcher at WordPress security company WebARX, discovered the problem last week and reported the flaw to the author of the plug-in.
The open door to all backdoors
In a report published today, he described the problem as an “inadequate development of the application, related to the lack of control of permissions.”
It indicates that an attacker who can register new accounts on a site can exploit this vulnerability to change key settings on a WordPress site, outside of what the plug-in was originally intended to handle.
These changes can allow an attacker to take over sites by installing backdoors or taking over administrator accounts;
In a demonstration video he posted on YouTube today, Šikić showed how dangerous the vulnerability is by changing the email address associated with the administrator account of a WordPress site.
Šikić informed the company WPBrigade, responsible for the plug-in, last week, which issued a patch one day after publishing its report.
Users are invited to install version 2.0.22 of Simple Social Buttons, released last Friday, February 8;
The issue should not be taken lightly. Some sites are already protected against this vulnerability, as their administrators have already blocked user registration for security reasons;
However, sites that allow users to register to post comments on blog posts are vulnerable to attacks and should apply the plug-in update as soon as possible.
The plugin has been installed on more than 40,000 websites, according to statistics from the official WordPress plugin repository, making it an attractive target for WordPress botnet operators.