WPBrigade Patches Critical Vulnerability in Simple Social Buttons Plugin

WPBrigade, the developers behind the Simple Social Buttons plugin, have patched a critical privilege escalation vulnerability. The security issue was discovered by the team at WebARX. Developer and researcher Luka Šikić summarized the vulnerability in a post published this week:

Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table.

Simple Social Buttons is a plugin that makes it easy for users to add social buttons to posts, pages, archives, and, popups, fly-ins, and custom post types. More than 40,000 users have the free version of the plugin active on their sites. A commercial version is also available through the developer’s website.

The plugin’s authors released version 2.0.22 the day after WebARX disclosed the vulnerability, but some site owners and agencies may not have heard about the security issue. Not everyone checks for updates automatically or even once per month. WPBrigade has not yet alerted users to the vulnerability on their blog or Twitter account. The only mention is in the plugin’s changelog, which states: “Enhancement: Fix security issue.” Users who see an update notice in their dashboards are advised to update immediately.

3 Comments


    1. Same here, I was notified by WebArx regarding this critical vulnerability. Glad there are amazing WordPress devs that are really concern on their clients sending important reminders not just pure sales email.

      Report


  1. Calling this vulnerability critical might be a bit of an overstatement or at least could use some qualification. While the type of vulnerability can be used to take full control of the website, the easier form of exploitation requires the attacker to be logged in to WordPress. Seeing as user registration is disabled by default by WordPress, which is a smart move as shown by this vulnerability, the amount of those 40,000+ websites using this that were at much risk is likely limited.

    What seems of more concern here is that this is another example of something we see far too often, developers don’t make sure their plugins are secured from security issues they are aware of. In this case, the developer had fixed a vulnerability caused by the same lack of security in the same functionality in another of their plugins in November, but didn’t do anything about this plugin. That is the sort of thing that could use more coverage since right now it doesn’t seem like there is a good understanding of why the security of plugins is so poor and without that it doesn’t seem like there will be movement toward improving the situation.

    We checked the developer’s other plugins to see if any others were impacted and found that the functionality didn’t exist in any of the other plugins.

    Report

Comments are closed.