The unfiltered_html setting was previously enabled by default and allowed users with unfiltered_html capability to inject any HTML code they want. This could be exploited by administrators to inject malicious code into the site that could be executed by high-privileged users such as admins.
Therefore, when upgrading from any version prior to 1.2.8, make sure to update to the latest version by following the instructions at https://meks.io/easy-social-share/upgrading/. In addition, make sure to review our recommendations regarding the unfiltered_html setting at https://meks.io/easy-social-share/advising/.
Easy Social Share is a popular plugin among WordPress users and is used by millions of sites. It allows users to share content from their WordPress site via various social media, including Facebook, Twitter, Google+, and Linkedin.
Announcement of the Easy Social Share Plugin Hack
The Easy Social Share plugin has been hacked by someone who was able to inject malicious code into the site.
If you are an admin, you can verify which version of the plugin installed on your site is safe from this hack by following these steps:
1. Go to Settings > Plugins and check for the Version number in the Easy Social Share screen.
2. If Version 1.2.8 is not displayed, change it to 1.2.8 or higher.
3. If you are unsure of the latest version of your plugin, contact our support team at https://meks.io/easy-social-share/support/. In order to prevent this hack, we recommend that all users update their plugins as soon as possible.
Fixed in Easy Social Share Plugin 1.2.8
In Easy Social Share Plugin 1.2.8, we've fixed an issue that allowed users with unfiltered_html capability to inject any HTML code they want. When upgrading from any version prior to 1.2.8, make sure to update to the latest version by following the instructions at https://meks.io/easy-social-share/upgrading/. In addition, make sure to review our recommendations regarding the unfiltered_html setting at https://meks.io/easy-social-share/advising/.
Vulnerability Summary
When Easy Social Share was first released, an issue was found that allowed users with unfiltered_html capability to inject any HTML code they wanted. This could be exploited by administrators to inject malicious code into the site that could be executed by high-privileged users such as admins.
To fix this vulnerability, the uncensored_html setting in easy_social_share was changed so that it can only be used for specific sites. Unfiltered_html is now disabled by default and the recommendation is to enable it on a one-time basis for your site, but only when you need to use it.
Vulnerability in Easy Social Share
In a recent update of the plugin, a vulnerability was discovered in which if certain conditions are met, admins could inject malicious code into the site. This is an issue that could be exploited by high-privileged users such as admins and would allow them to execute code on the site. This particular vulnerability has been patched in version 1.2.8. To update to this latest version, please follow the instructions at https://meks.io/easy-social-share/upgrading/. In addition, make sure to review our recommendations regarding this and related topics at https://meks.io/easy-social-share/advising/.
Timeline
Published on: 10/17/2022 12:15:00 UTC
Last modified on: 10/21/2022 16:19:00 UTC