February 11, 2019 by Luka Šikić
Finding security vulnerabilities is an important part of securing our client’s sites and improving our managed web application firewall. That is why WebARX is analyzing WordPress plugins for security issues and reporting them to competent developers or organizations.
While doing research we found a vulnerability in popular WordPress plugin Simple Social Buttons which allows non-admin users to modify WordPress installation options.
WordPress plugin Simple Social Buttons is a popular free and paid plugin that brings the ability to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, popups, fly-ins.
The plugin has over 40,000+ active installations according to WordPress Plugin repository and over 500,000 downloads according to plugin vendor WPBrigade.
Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the
As can be seen from the screenshot, a function would iterate through JSON object provided in the request and update all options with option_name from object key and option_value from a key value without checking whether the current user has permission to manage options or provided option_name belongs to that plugin.
If your website uses the WordPress plugin “Simple Social Buttons“, you should update it to the latest version as soon as possible. A described vulnerability affects plugin versions from 2.0.4 and before version 2.0.22 in which developers introduced patch.
The vulnerability was discovered and reported on Feb 7, 2019, and a patched version was released just a day after, on Feb 8, 2019. WebARX users are safe as rules have been shipped to the firewall on the day of discovery. Even if you’re a WebARX user, please make sure to update the plugin ASAP.