A critical vulnerability in the WordPress plugin Simple Social Buttons allows an attacker to completely take over a website.
The plugin allows users to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, pop-ups and fly-ins.
The bug is the result of an improper design flow and the lack of a permission check. This results in privilege escalation and unauthorised actions in a WordPress installation that could allow non-admin users or even subscribers to modify the WordPress installation options from the wp-options table. according to an 11 February WebARX blog post.
The issue was discovered and reported on 7 February and was patched the next day. Users should update to the latest version as soon as possible as plugin versions from 2.0.4 and before version 2.0.22 were affected.
This article was originally published on SC Media US.