Unpatched Zero-Day Vulnerability in Social Warfare Plugin Exploited In The Wild

Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites. The flaw allows attackers to inject malicious JavaScript code into the social share links present on a site’s posts.

The Defiant Threat Intelligence team has already identified attacks against this vulnerability, and has deployed a firewall rule to prevent its exploitation. Premium users gain immediate access to the new rule, and after a thirty-day delay it will be available to Free users. Because this vulnerability has yet to be patched, it is recommended that site administrators deactivate the plugin until a patch is released.

At this time, we are refraining from publicizing details of the flaw and the attacks against it. At such time that the vendor makes a patch available, we will produce a follow-up post with further information.

What Should I Do?

If your site is protected by Wordfence Premium, your firewall will have a new rule designed to prevent these attacks. If not, you can gain access to the rule by upgrading to Premium now. Short of that, deactivating the Social Warfare plugin until a patch is available will prevent these attacks, though at the loss of the plugin’s functionality.

Our team is actively tracking attacks against this flaw, and will produce more details as soon as we feel is responsible. In the meantime, please consider sharing this public service announcement to other WordPress users who may not know of these new risk factors.

Did you enjoy this post? Share it!


  • Our entire development team is currently working to issue a patch and hope to have it released within the hour, but in the meantime we recommend disabling Social Warfare and Social Warfare Pro on your website.

    This patch, once available will be listed as version 3.5.3 and you will be able to download and apply the update even while Social Warfare and Social Warfare Pro are disabled.

    For up to the minute updates on this issue you can view our support page at https://warfareplugins.com/submit-ticket/ or our Twitter at https://twitter.com/warfareplugins .

  • We found out about this just over 2 hours ago and started working frantically on a solution. We have now patched both the vulnerability and have made it so that any affected sites will be automatically fixed immediately upon installing 3.5.3. We just published this version about 10 minutes ago that will immediately fix this issue. It won’t be available until WordPress reviews the new version and reactivates the plugin.

    In the mean time, you can get the fixed version directly from our website here:

    We are super upset and distressed about this, as I’m sure you can all imagine. Hackers suck and it’s horrible that we live in a world where people do this. But at the end of the day, it was still our fault for having the vulnerability for them to be able to take advantage of. We’re more sorry about this whole ordeal than any of you could possibly imagine, and we’re thankful for a lot of the support and wonderful kindness that the vast majority of you have sent our way during this.

  • It's frustrating that Social Warefare didn't send out a notification about this, leaving site owners to guess at what was wrong. I had to search "Social Warefare Hacked" in order to even get the latest information about it...