In posts last week, Wordfence detailed a vulnerability in the Social Warfare plugin, and discussed the attack campaigns against it. These issues were reported widely as Cross Site Scripting (XSS) flaws, due to an unexpected disclosure and proof of concept released by an unnamed researcher. Their Threat Intelligence team quickly released a firewall rule to mitigate impact for the Wordfence customers, and the plugin’s author issued a patch shortly thereafter. Attackers have issued persistent exploit attempts against this flaw, which are primarily connected to injected JavaScript redirect activity.

However, the patched vulnerability was not limited to XSS behavior. During the triage process, Wordfence team identified additional exploitable behavior in Social Warfare’s database migration code. This allowed remote code execution (RCE) on the vulnerable version, 3.5.2, in addition to the reported XSS capability.

Because the WordPress community had already been made aware of the critical 3.5.3 patch to the plugin, and because they had not identified any threat actors making use of this capability in the wild, they withheld this element from publication temporarily. Wordfence reached out to the WordPress.org plugin team to make sure they were aware of the issue, and have continued to monitor attack data to confirm no malicious RCE attempts have been caught.

Read the full article at Wordfence