Conversation
supportWP Scan / iThemes Security Pro is reporting: WordPress Social Warfare plugin <= 4.4.0 – Cross-Site Request Forgery vulnerability You can see this here . Is this anything to be concerned about? When will an update be released? Thanks. Paul. The page I need help with: [ log in to see the link]
I just logged in here to see if anyone had mentioned this yet, as I’m seeing the same thing with my client’s sites that use this plugin. Hoping for an update.
Looking for an update on this before removing it from our sites. Any news? Thanks.
Anyone seeing a resolution to this? Thinking about switching to a different solution.
I gave up and emailed support. Initially I was told to upgrade my plugin by deleting what was installed and then reinstalling from the repository. This was fruitless since it installed the same version 4.4.0. When I pointed this out, I was then informed: “Thanks Paul – Our development team is going to reach out to them.” So perhaps it is a false-positive (although on WPScan – https://wpscan.com/vulnerability/7140abf5-5966-4361-bd51-ee29d3071a30 – it shows as vulnerable still). Hope this helps.
I also emailed support the link from Wordfence. https://www.cve.org/CVERecord?id=CVE-2023-0403
Hi @ptaubman @chriscobb @anotherdave Sorry for the confusion here. This is a false positive and we have been hoping that they would update their sites before we reported back here. I know this was 5 days ago, but we do not monitor WP support channel on the weekend. We will do better in the future because I see this is a justifiable concern for all of you. If you look at Wordfence report, you will see that the vulnerability has been patched weeks ago. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-warfare/social-warfare-430-cross-site-request-forgery And in truth, this “vulnerability” was not really a vulnerability. Basically the vulnerability allowed a hacker with “user” permissions (which is any current paid customer) to be able to log in and temporarily disconnect FB handshake on someone else’s account. But on the next cron, the handshake would fix itself. So why would a hacker waste their time trying to annoy someone with a temporarily disconnected FB. But, this is a vulnerability and we take security very seriously. And it has been patched. We will be releasing 4.4.1 and fix a few other minor bugs. We want to always try to improve and be the best social sharing plugin on the market. Thank you
@warfareplugins thanks for the clarification
Thank you for your patience and cooperation as we work to increase our support staff for our growing number of users on our platform
@warfareplugins thank you and the team so much!
I just logged in here to see if anyone had mentioned this yet, as I’m seeing the same thing with my client’s sites that use this plugin. Hoping for an update.
Looking for an update on this before removing it from our sites. Any news? Thanks.
Anyone seeing a resolution to this? Thinking about switching to a different solution.
I gave up and emailed support. Initially I was told to upgrade my plugin by deleting what was installed and then reinstalling from the repository. This was fruitless since it installed the same version 4.4.0. When I pointed this out, I was then informed: “Thanks Paul – Our development team is going to reach out to them.” So perhaps it is a false-positive (although on WPScan – https://wpscan.com/vulnerability/7140abf5-5966-4361-bd51-ee29d3071a30 – it shows as vulnerable still). Hope this helps.
I also emailed support the link from Wordfence. https://www.cve.org/CVERecord?id=CVE-2023-0403
Hi @ptaubman @chriscobb @anotherdave Sorry for the confusion here. This is a false positive and we have been hoping that they would update their sites before we reported back here. I know this was 5 days ago, but we do not monitor WP support channel on the weekend. We will do better in the future because I see this is a justifiable concern for all of you. If you look at Wordfence report, you will see that the vulnerability has been patched weeks ago. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-warfare/social-warfare-430-cross-site-request-forgery And in truth, this “vulnerability” was not really a vulnerability. Basically the vulnerability allowed a hacker with “user” permissions (which is any current paid customer) to be able to log in and temporarily disconnect FB handshake on someone else’s account. But on the next cron, the handshake would fix itself. So why would a hacker waste their time trying to annoy someone with a temporarily disconnected FB. But, this is a vulnerability and we take security very seriously. And it has been patched. We will be releasing 4.4.1 and fix a few other minor bugs. We want to always try to improve and be the best social sharing plugin on the market. Thank you
@warfareplugins thanks for the clarification
Thank you for your patience and cooperation as we work to increase our support staff for our growing number of users on our platform
@warfareplugins thank you and the team so much!