Contact Contact Us

Hackers Exploit Two Zero-day Bugs in WordPress Plugins

Popular Content Management System (CMS) WordPress is urging site owners to upgrade two vulnerable plugins that are being actively exploited in the wild. The Easy WP SMTP plugin (version 1.3.9), with 300,000 active installations, contains a bug that lets hackers modify a vulnerable website's overall setting. At least two hacker groups are scanning and compromising WordPress sites via the plugin to create rogue administrative accounts, which can be used to redirect visitors to malicious sites. Another plugin known as Social Warfare, with over 70,000 active installs, is vulnerable to a cross-site scripting flaw that lets attackers inject malicious JavaScript code into the social media share links on compromised websites. Site owners using the Easy WP SMTP plugin should upgrade to version while those using the Social Warfare plugin should upgrade to version 3.5.3. If upgrade is not possible, site owners are encouraged to uninstall the vulnerable plugins to avoid being exploited.

[1] Hackers Abusing Recently Patched Vulnerability in Easy WP SMTP Plugin
[2] Unpatched Zero-Day Vulnerability in Social Warfare Plugin Exploited in The Wild

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883