WordPress plugin update leads to thousands of sites exposing users to adware

Paul Bischoff, security and privacy advocate for Comparitech.com is warning website owners who use the Simple Share Buttons plugin for WordPress that clicking to “accept” the terms and conditions of the latest update could allow their websites to subject users to threats.

 

Users were asked to accept new terms and conditions because social media toolmaker ShareThis acquired the company that makes the plugin back in June. The Simple Share Buttons now fall under ShareThis' privacy policy.

 

Bischoff explained in his blog, “A message appears prominently at the top of the WordPress editor page promising ‘great new features'. The message includes links to ShareThis' privacy policy and terms of use, but there is no option to decline them. Without even the option to close the message, it continues to nag users until they either agree or remove the plugin altogether.”

 

With over 100,000 active installs according to WordPress.org, even if only a small amount of these users hit the accept button to make the message disappear, it would lead thousands of websites exposing visitors to adware and other threats.


The updated plugin gathers information if a user clicks the update button. The ShareThis privacy policy demonstrates that they may “share non-aggregate, non-personally identifiable usage information, including audience segments, with third-party advertisers and publishers to assist us and them in delivering relevant, targeted advertising that is aligned with user interests. While using the ShareThis Services, we may place third-party advertisers' and publishers' cookies and pixels on their behalf regarding usage information.”


The popular plugin is used by everyone from casual bloggers and small businesses to large publishers.

 

Nigel Tunnacliffe, senior director at ShareThis told Comparitech, “We always appreciate feedback from our users, and we understand the inconvenience this update caused. It's important to us that we ensure that the new privacy policy only applies to those who have accepted it. The next update, which will be available soon, will allow plugin users to close the notice without accepting the terms. I'll let you know directly when that update is available.”

Sign up to our newsletters