WordPress Plugin Vulnerability Allows Website Takeover

This week seems to be super busy with data breaches and security vulnerabilities galore, looping you in on the latest vulnerability exposed today.

News is breaking that hackers are exploiting a critical vulnerability in WordPress plugin Simple Social Buttons, allowing privilege escalation so that non-admins can take over administrator accounts or even whole websites.

The plugin has more than 40,000 active installations, according to WordPress Plugin repository.

https://t.co/38Ekst7wxM A critical vulnerability in the WordPress plugin Simple Social Buttons allows an attacker to completely takeover a website.

— SC Media UK (@SCmagazineUK) February 14, 2019

Expert Comments below:

Bryan Becker, Application Security Researcher at WhiteHat Security:

“The WordPress platform is used by some of the world’s largest companies and approximately 30 percent of the world’s websites. WordPress’s latest vulnerability once again emphasizes the challenges and risks of using a large body of third-party maintained code. Methods to exploit the WordPress vulnerability are already available online, so it is absolutely critical that all companies implement the patch distributed by the company immediately. There’s no time to waste—unless they want to be the next major breach victim.

Steps that organizations can take to mitigate the risk of breaches prior to fixing include 1) implementing web application firewalls (WAFs) or runtime application self-protection (RASP), 2) using software composition analysis (SCA) to find vulnerable platforms and third-party libraries and add them to standard patch management (where possible), and best of all, 3) making security testing a part of the entire lifecycle of an application. Security training and education, continuous testing, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk, are also vital.”