Recently, Shareaholic was notified by one of our users about a security issue in our WordPress plugin. We have since fixed this bug (update released Friday, February 27, 2015) and encourage all Shareaholic WordPress users to update the latest version of our plugin to make sure you are protected.
Who is affected?
People who have installed the plugin on WordPress.org hosted sites, that have users with any type of permission or role (such as: Authors, Editors, Contributors, and/or Subscribers). WordPress.com hosted sites are not affected because they cannot install our plugin. This does not impact users who have the apps installed on other platforms, including but not limited to: Blogger, Squarespace, Tumblr, Joomla, Weebly, and Drupal.
What does it do?
This was a cross-site scripting (XSS) vulnerability exposed to Authenticated Users on your WordPress site. This bug can be exploited by your logged-in users. In short, users who do not have Admin privileges can take advantage of this vulnerability to make changes on your site as an Admin.
What is affected?
This bug does NOT change a user’s role in WordPress, so any non-Admin users who have access to your site will not know about this exposure unless they actively seek it out. They will NOT see any changes to their privileges (i.e. They won’t see their status change on the Roles page). This is a security issue on the backend that would require a person who knows how to exploit this vulnerability and is aware that this vulnerability exists.
What should you do?
- STEP 1: Update to the latest version of the Shareaholic WordPress plugin. Need help updating your plugin from your WordPress admin? Follow this helpful guide.
- STEP 2: We recommend as a safeguard to update your WordPress Admin password. As described above, this vulnerability is difficult to detect, but we recommend taking precaution to ensure the safety of your site.
We, at Shareaholic, would like to take this opportunity to reflect on how serious we take our security and privacy. Through continued and regular revision, we are proud of the systems we have in place to deliver our products with care and expert attention to detail. However, as is the case for any small company, we recognize that though perfection is always the goal, we are certainly not perfect. It is with this in mind that we thank you for your trust, and thank our users who are invested in our success.
Image via Pixabay.