VERY IMPORTANT

On 21 March, researchers disclosed two vulnerabilities in Social Warfare, a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978. Both vulnerabilities are present in all versions of Social Warfare prior to 3.5.3: a fix was released on 21 March and an estimated 42,000 websites are potentially vulnerable until they update to 3.5.3. An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital coin mining or host malicious exploit code. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites.