Plugin Name: Social Warfare
- Software Type: Plugin
- Software Slug: social-warfare
- Software Status: Active
- Software Author: warfareplugins
- Software Downloads: 1,609,161
- Active Installs: 30,000
- Last Updated: November 6, 2023
- Patched Versions: 4.4.4
- Affected Versions: <= 4.4.3
- Name: Social Sharing Plugin - Social Warfare <= 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-4842
- CVSS Score: 6.4 (Medium)
- Publicly Published: November 6, 2023
- Researcher: Lana Codes
- Description: The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Social Warfare plugin, which has over 1.6 million downloads and around 30,000 active installs, allows users to add social sharing buttons to their WordPress site.
This could allow an attacker with contributor access or higher privileges to take over user accounts, steal session cookies, or redirect users to malicious sites. The vulnerability has been assigned CVE identifier CVE-2023-4842 and a CVSS severity score of 6.4 (Medium).
Warfare Plugins, the developer of Social Warfare, has released version 4.4.4 which correctly sanitizes input to the shortcode parameters and escapes output to prevent XSS. Users are strongly advised to update as soon as possible.
Advice for Users:
- Immediate Action: Update to Social Warfare version 4.4.4 or higher as soon as possible.
- Check for Signs of Vulnerability: Review page and post content for unauthorized
<script>tags or other signs of compromise.
- Alternate Plugins: Consider alternate social sharing plugins like ShareThis as a precaution.
- Stay Updated: Always keep your plugins updated to avoid future vulnerabilities.
The quick response from Warfare Plugins to patch this vulnerability is appreciated. WordPress site owners should ensure they are running Social Warfare version 4.4.4 or later to protect against this stored XSS issue being exploited on their sites.
Social Warfare is a widely used WordPress plugin with over 1.6 million downloads and around 30,000 active installs. It provides easy social sharing buttons so visitors can share your content on social networks. Unfortunately, a vulnerability has been found that affects all versions up to and including 4.4.3.
This is a serious vulnerability assigned a CVSS severity score of 6.4 out of 10. All WordPress site owners using Social Warfare should update to version 4.4.4 as soon as possible to mitigate any risk. You should also review your content for unauthorized script tags or other signs of compromise. Alternate social sharing plugins like ShareThis can be considered as a precaution as well.
Social Warfare has faced security issues in the past, with 4 previous vulnerabilities reported since March 2019. This underscores the importance of prompt updates and not keeping outdated plugin versions active.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.