Maintaining WordPress can be a full-time job, and even those who manage their own installations “know” that updates are important. But very few WordPress users really understand just how critical keeping things up-to-date can be. In the case of Zero Day vulnerabilities, not doing so could mean losing everything (yet another reason to maintain backups; but that’s a lesson for another article).
What is the vulnerability?
The WPBrigade third party WordPress plugin known as Simple Social Buttons was found to be vulnerable to a Zero Day exploit, allowing potential attackers absolute control over the affected site. This particular vulnerability does require the attacker to have access to a registered user, so sites do not allow public user registration, then they will be marginally less vulnerable than sites that do. Still, all it takes is a single user account, even that of a owner or author, to take advantage of the flaw and gain unauthorized access.
The announcement of this vulnerability came from Luka Šikić, a developer at WebARX, who specializes in website security and provides security products for WordPress and other popular CMS platforms. An update for the Simple Social Buttons plugin was released very quickly after Šikić’s identification, and WPBrigade made efforts to ensure users were aware of the issue by announcing the issue on Twitter a few days later.
What should be done?
As WPBrigade has already updated the Simple Social Buttons plugin, users should be able to update either from within their WordPress Dashboard, or by contacting WPBrigade on Twitter or from their website.
A Quick Reminder
Cozaq would like to remind you that keeping your WordPress core installation, themes, and plugins up-to-date should always be a priority. As a WordPress user, or developer, you should also routinely check on your themes and plugins to make sure they’re still actively being developed. WordPress themes and plugins frequently get abandoned or replaced by new alternatives and webmasters need to be aware of how well their site’s code is being maintained.
More information on keeping WordPress and it’s plugins updated may be found in the following articles, provided for your convenience:
What to do if you think you've been compromised
The best thing to do if you think you've been compromised, is attempt to restore your site from a backup taken prior to the compromise. Depending on how badly the site has been affected, this may mean restoring one copy at a time, backwards from the current day, until you find one that isn’t affected.
If you don’t have a functional backup, you may be able to get assistance from your developer or our Support team if the damage isn't too extensive.