{"id":20789,"date":"2015-03-02T12:13:56","date_gmt":"2015-03-02T17:13:56","guid":{"rendered":"https:\/\/blog.shareaholic.com\/?p=20789"},"modified":"2015-06-16T12:17:36","modified_gmt":"2015-06-16T16:17:36","slug":"security-update-shareaholic-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/www.shareaholic.com\/blog\/security-update-shareaholic-wordpress-plugin\/","title":{"rendered":"Security Update: Shareaholic WordPress Plugin"},"content":{"rendered":"<p>Recently, Shareaholic was notified by one of our <a href=\"http:\/\/security.szurek.pl\/\">users<\/a> about a security issue in our WordPress plugin. We have since fixed this bug (update released Friday, February 27, 2015) and encourage all Shareaholic WordPress users to <a href=\"http:\/\/wordpress.org\/support\/plugin\/shareaholic\" target=\"_blank\">update the latest version of our\u00a0plugin<\/a>\u00a0to make sure you are protected.<\/p>\n<p>&nbsp;<\/p>\n<h3>Who is affected?<\/h3>\n<p>People who have installed the plugin on WordPress.org hosted sites, that have users with any type of permission or <a href=\"http:\/\/codex.wordpress.org\/Roles_and_Capabilities#Roles\" target=\"_blank\">role<\/a>\u00a0(such as: Authors, Editors, Contributors, and\/or Subscribers). WordPress.com hosted sites are not affected because they cannot install our plugin. This does not impact users who have the\u00a0apps installed on other platforms, including but not limited to: Blogger, Squarespace, Tumblr, Joomla, Weebly, and Drupal.<\/p>\n<h3>What does it do?<\/h3>\n<p>This\u00a0was a cross-site scripting (XSS) vulnerability exposed to Authenticated Users on your WordPress site. This bug can be exploited by your logged-in users. In short, users who do not have Admin privileges can take advantage of this\u00a0vulnerability to make changes\u00a0on your site as an Admin.<\/p>\n<h3>What is affected?<\/h3>\n<p>This bug does NOT change a user\u2019s role in WordPress, so any non-Admin users who have access to your site will not know about this exposure unless they actively seek it out. They will NOT see any changes to their\u00a0privileges (i.e. They won&#8217;t see their status change on the Roles page). This is a security issue on the backend that would require a person who knows how to exploit\u00a0this vulnerability and is aware that this vulnerability exists.<\/p>\n<h3>What should you do?<\/h3>\n<ul>\n<li><strong>STEP 1<\/strong>:\u00a0<a href=\"http:\/\/wordpress.org\/support\/plugin\/shareaholic\" target=\"_blank\">Update to the latest version of the Shareaholic WordPress plugin<\/a>. Need help updating your plugin from your WordPress admin? Follow this <a href=\"http:\/\/support.shareaholic.com\/hc\/en-us\/articles\/204451235-How-do-I-update-the-plugin-\" target=\"_blank\">helpful guide<\/a>.<\/li>\n<li><strong>STEP 2<\/strong>: We recommend as a safeguard to update your WordPress Admin password. As described above, this vulnerability is difficult to detect, but we recommend taking precaution to ensure the safety of your site.<\/li>\n<\/ul>\n<h3>Thank You!<\/h3>\n<p>We, at Shareaholic, would like to take this opportunity to reflect on how serious we take our security and privacy. Through continued and regular revision, we are proud of the systems we have in place to deliver our products with care and expert attention to detail. However, as is the case for any small company, we recognize that though perfection is always the goal, we are certainly not perfect. It is with this in mind that we thank you for your trust, and thank our users who are invested in our success.<\/p>\n<p style=\"text-align: right;\">Image via <a href=\"http:\/\/www.pixabay.com\" target=\"_blank\">Pixabay.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, Shareaholic was notified by one of our users about a security issue in our WordPress plugin. We have since fixed this bug (update released&hellip;&nbsp;<br \/><a class=\"continue-reading\" href=\"https:\/\/www.shareaholic.com\/blog\/security-update-shareaholic-wordpress-plugin\/\">Continue Reading<\/a><\/p>\n","protected":false},"author":73,"featured_media":20820,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[525],"tags":[172,158],"_links":{"self":[{"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/posts\/20789"}],"collection":[{"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/users\/73"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/comments?post=20789"}],"version-history":[{"count":0,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/posts\/20789\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/media\/20820"}],"wp:attachment":[{"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/media?parent=20789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/categories?post=20789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shareaholic.com\/blog\/wp-json\/wp\/v2\/tags?post=20789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}