• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerability

Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

September 4, 2020John Castro

Exploitation Level: Easy / Remote

DREAD Score: 7.5

Vulnerability: Multiple

Patched Version: 4.3.18

FacebookTwitterSubscribe

NextScripts: Social Networks Auto-Poster is a plugin that  automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc.

During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in social networks, and arbitrary plugin settings update affecting over 100,000 users of the WordPress plugin.

Disclosure / Response Timeline:

  • August 24, 2020: Initial contact attempt.
  • August 25, 2020: Technical details sent.
  • September 03, 2020: We contacted the WP team directly.
  • September 04, 2020: Patch is live.

Current State of the Vulnerability

It can be exploited by any subscriber and potentially by unauthenticated users once an attacker with a subscriber account changes the plugin settings. We are not aware of any exploit attempts currently using this vulnerability.

Technical Details

Vulnerable versions of this plugin are giving access to several functionalities without using the proper restrictions — this can allow a bad actor to do the following:

  • Remove Posts (by corrupting the post type and other data)
  • Post Arbitrary Information in the site social networks
  • Change the plugin settings

Here’s an example of a message sent by a subscriber to Telegram:

message claiming test post from vulnerability

Critical settings that can be activated:

user privileges and security settings for nextscripts plugin

An attacker can leverage multiple attacks by making use of all the functionalities provided by the plugin. We’ll provide more details in our vulnerability digest at the end of this month.

Update as Soon as Possible

To protect against this vulnerability, we strongly encourage NextScripts: Social Networks Auto-Poster users to update their plugin to version 4.3.18 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

FacebookTwitterSubscribe

Categories: Vulnerability DisclosureTags: WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.