A bug in the plugin for WordPress can be used to capture sites
WebARX experts have discovered a dangerous problem in the popular WordPress plugin, Simple Social Buttons , which offers simple social networking buttons for websites. According to the researchers, the bug lies in the design of the application itself and is aggravated by incorrect rights verification.
If a potential attacker can register a new account on a vulnerable site, then exploiting the bug, he is also able to make changes to the CMS settings, that is, go far beyond the limits provided for the plug-in initially. In fact, an attacker can place a backdoor on the site or take control of the administrator’s account.
The video below shows how the bug is used to change the email address of the administrator account.
Before publishing the information about the problem, the researchers notified the plug-in developers bug, the company WPBrigade. Those have already released Simple Social Buttons version 2.0.22, where the vulnerability has been fixed.
Administrators of vulnerable sites are urged to install the update as soon as possible, or disable user registration. The fact is that, according to official statistics , the plugin is installed on more than 40,000 sites, and now all these resources can become targets for botnet operators and other intruders.
Commentaires