WPBrigade, the developers behind the Simple Social Buttons plugin, have patched a critical privilege escalation vulnerability. The security issue was discovered by the team at WebARX. Developer and researcher Luka Šikić summarized the vulnerability in a post published this week:
Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table.
Simple Social Buttons is a plugin that makes it easy for users to add social buttons to posts, pages, archives, and, popups, fly-ins, and custom post types. More than 40,000 users have the free version of the plugin active on their sites. A commercial version is also available through the developer’s website.
The plugin’s authors released version 2.0.22 the day after WebARX disclosed the vulnerability, but some site owners and agencies may not have heard about the security issue. Not everyone checks for updates automatically or even once per month. WPBrigade has not yet alerted users to the vulnerability on their blog or Twitter account. The only mention is in the plugin’s changelog, which states: “Enhancement: Fix security issue.” Users who see an update notice in their dashboards are advised to update immediately.
Big thanks to WebARX team. We have alert our users as well as https://twitter.com/wpbrigade/status/1095961415767199744