Description

WordPress Plugin Social Media Widget has a hidden call to i.aaur.net/i.php, which is used to inject Pay Day Loan spam into the web sites running the plugin. WordPress Plugin Social Media Widget version 4.0 is vulnerable; other versions may also be affected.

Remediation

Update to plugin version 4.0.2 or latest

References

https://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html

http://www.openwall.com/lists/oss-security/2013/04/14/1

https://wordpress.org/plugins/social-media-widget/changelog/

Related Vulnerabilities

Joomla! Core 4.x.x Multiple Vulnerabilities (4.0.0 - 4.2.6)

WordPress Plugin Contextual Related Posts Cross-Site Request Forgery (2.9.3)

WordPress Plugin AdButler Unspecified Vulnerability (1.09)

WordPress Plugin Ajax BootModal Login Security Bypass (1.4.3)

WordPress Plugin Import any XML or CSV File to WordPress Multiple Vulnerabilities (3.2.4)

Severity

High

Classification

CVE-2013-1949 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Tags

Missing Update