WordPress Plugin Vulnerability Report – Social Media Share Buttons & Social Sharing Icons – Cross-Site Request Forgery – CVE-2023-5602 – Information Exposure – CVE-2023-5070
Plugin Name: Social Media Share Buttons & Social Sharing Icons
Key Information:
- Software Type: Plugin
- Software Slug: ultimate-social-media-icons
- Software Status: Active
- Software Author: socialdude
- Software Downloads: 10,654,500
- Active Installs: 100,000
- Last Updated: October 16, 2023
- Patched Versions: 2.8.6
- Affected Versions: <=2.8.5
Vulnerability 1 Details:
Name: Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Cross-Site Request Forgery
Type: Cross-Site Request Forgery (CSRF)
CVE: CVE-2023-5602
CVSS Score: 4.3 (Medium)
Publicly Published: October 16, 2023
Researcher: Marco Wotschka
Description: The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ultimate-social-media-icons
Vulnerability 2 Details:
Name: Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Information Exposure
Type: Information Exposure
CVE: CVE-2023-5070
CVSS Score: 6.5 (Medium)
Publicly Published: October 16, 2023
Researcher: Marco Wotschka
Description: The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens and secrets as well as app passwords.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ultimate-social-media-icons
Summary:
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress contains two vulnerabilities in versions up to and including 2.8.5 - a CSRF issue that could allow unwanted actions, and an information exposure bug that reveals sensitive social media credentials. These have been addressed in version 2.8.6.
Detailed Overview:
The Social Media Share Buttons & Social Sharing Icons plugin has two newly discovered security issues. First, it is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.8.5. This is due to missing or incorrect nonce validation on several AJAX actions. An attacker could potentially exploit this to invoke unwanted actions if a user visits a malicious site while logged into their WordPress dashboard. The second issue is an information exposure bug via the sfsi_save_export function in versions up to 2.8.5. This allows subscribers to export plugin settings containing sensitive social media secrets and passwords. Together, these represent a serious security risk that requires immediate user action to patch.
Advice for Users:
- Immediate Action: Update to version 2.8.6 or higher immediately to address both the CSRF and information exposure vulnerabilities.
- Check for Unauthorized Changes: Review your WordPress site and connected social media accounts for any unauthorized modifications made through these vulnerabilities.
- Consider Alternatives: While updating, you may want to switch to alternate social sharing plugins like AddThis or Shareaholic until this is patched.
- Increase Security: Enable two-factor authentication on your social media accounts to protect your credentials.
- Stay Updated: Make sure automatic background updates are enabled for WordPress and all plugins.
Conclusion:
These twin vulnerabilities underscore the importance of comprehensive security hardening for WordPress sites. The CSRF flaw could have enabled unwanted actions on sites with this plugin activated. Additionally, the information exposure bug posed a serious risk of social media account takeover. Fortunately, the plugin authors have addressed both issues promptly in version 2.8.6. All users should update immediately and review their sites for any signs of compromise. Enabling automatic updates can help prevent falling victim to future threats as they are discovered.
Detailed Report:
Staying on top of WordPress security is a never-ending task. That's why the recent discovery of multiple vulnerabilities in a widely-used social media plugin serves as an urgent reminder to keep your site updated. The Social Media Share Buttons & Social Sharing Icons plugin has over 10 million downloads and 100,000 active installs. But versions up to and including 2.8.5 contain flaws that could allow cross-site request forgery and information exposure of valuable social media credentials. While the developer has patched this in version 2.8.6, any site still running an older release remains at serious risk. Don't wait to find out the hard way if your site has been compromised. Take action today to update this plugin if you use it.
The Social Media Share Buttons & Social Sharing Icons plugin is a commonly used tool that adds social media share buttons to WordPress sites. It has over 10 million total downloads and around 100,000 active installs according to wordpress.org. The plugin is developed by socialdude and provides easy social sharing options for Facebook, Twitter, LinkedIn and more.
Unfortunately, researchers recently discovered two security vulnerabilities affecting versions up to and including 2.8.5:
- A cross-site request forgery (CSRF) issue that could allow unwanted actions or changes to a site if a user visits a malicious page while logged into their WordPress dashboard.
- An information exposure bug that could reveal sensitive social media credentials like passwords and API keys if exploited.
Together, these flaws pose a serious risk of account compromise or site defacement if left unpatched. The CSRF weakness means an attacker could potentially take over social media accounts connected to the plugin if they trick a user into clicking a link. The information exposure issue makes it possible to steal API keys and passwords for those accounts.
The researcher responsible, Marco Wotschka, disclosed these vulnerabilities on October 16, 2023. The developer quickly responded by releasing version 2.8.6 to address both problems. However, any site still using an older version remains vulnerable.
If your site has this popular social sharing plugin installed, it is critical you update to the latest secure release immediately. You should also review connected social media accounts for any unauthorized changes as a precaution. Enabling two-factor authentication provides an extra layer of protection for your credentials.
This is not the first time security issues have been found in this plugin. There have been 9 previous vulnerabilities reported since May 2015, underscoring the need for constant vigilance.
Keeping your WordPress site and plugins updated is the best defense against threats like this. Enable automatic background updates if you haven't already done so. And consider hiring a managed WordPress host or developer to handle security patching for you if staying on top of these things is a challenge. Don't let your site be the next victim - take action today to lock things down.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.