Hello Team,
Today we have two new vulnerabilities out in the wild. They are stemming from a popular add-in from WordPress which allows social share buttons to be added to your website or blog. Warfare is popular because of easy deployment and setup. Here is the link to there website if you like to read more about their wonderful product that has a vulnerability at the moment.
Warfare Plugin
Based on the new CVE-2019-9978 released by the National Vulnerability Database website. The Social War-fare plugin before 3.5.3 has the following issues:
The Vulnerability seems to come from the eval() function. The eval function evaluates a string as PHP code. The vulnerability is sometimes called the "Eval Injection" method where a remote user can add a URL to the eval () statement without user validation allowing code execution.
The owsap.org website has a nice write-up of the Eval Injection Method:
Anyone that has WordPress in your environment, please make sure you have updated the plug-in to the latest version.
Also, Keep an eye out in your logs for suspicious traffic to your web servers.
Thank you,
AzNetAdmin
Today we have two new vulnerabilities out in the wild. They are stemming from a popular add-in from WordPress which allows social share buttons to be added to your website or blog. Warfare is popular because of easy deployment and setup. Here is the link to there website if you like to read more about their wonderful product that has a vulnerability at the moment.
Warfare Plugin
- https://warfareplugins.com/
Based on the new CVE-2019-9978 released by the National Vulnerability Database website. The Social War-fare plugin before 3.5.3 has the following issues:
- Cross-site Scripting Attack (XSS)
- remote code execution (RCE)
The Vulnerability seems to come from the eval() function. The eval function evaluates a string as PHP code. The vulnerability is sometimes called the "Eval Injection" method where a remote user can add a URL to the eval () statement without user validation allowing code execution.
The owsap.org website has a nice write-up of the Eval Injection Method:
- https://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_(%27Eval_Injection%27)
Anyone that has WordPress in your environment, please make sure you have updated the plug-in to the latest version.
Also, Keep an eye out in your logs for suspicious traffic to your web servers.
Thank you,
AzNetAdmin
Tags
Azure Security