Are you using Bootstrap powered theme or plugin? If yes, then Consider updating the Bootstrap version to the latest 4.3.1 and 3.4.1 version. Previous versions (4.3 and 3.4) were reported to have XSS vulnerability (CVE-2019-8331) that affects tooltip and popover plugin usability, compromising on website’s security.
As approx 16% of the web uses Bootstrap for WordPress themes and plugins, it’s crucial to update the developers and website owners about the recent vulnerability and website security loopholes.
Bootstrap 4.3.1 & 3.4.1 released
“Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.” – reported in the official blog post.
The moment this security loophole was exposed by the Bootstrap Drupal project and development team, officials took no time in releasing patches 4.3.1 and 3.4.1 on 15th Feb 2019, fixing the bug.
The patched Bootstrap versions 4.3.1 and 3.4.1 allow only whitelisted HTML elements in the data attribute. Thanks to the new JS sanitizer that can be modified and customized.
Simple Social Buttons is a popular plugin available in both free and paid versions which adds social media sharing buttons at the sidebar, inline, above or below the post. It also adds these buttons on pictures, popups, and fly-ins.
According to the researcher, a hacker who can register on your website for adding comments or sharing your posts to other social platforms can easily exploit this vulnerability to plant backdoors for taking over admin accounts for further unauthorized access.
Luka Šikić discovered this security vulnerability last week and notified the problem to the plugin’s developer WPBrigade. The developer took no time in releasing a security patch for the plugin.
Luka Šikić also posted a demo on YouTube to show the severe consequences of the plugin’s vulnerabilities.
Update The Plugin – ASAP!
It’s recommended to update this plugin immediately to the newer version, i.e., 2.0.22.
WordPress plugins sure help in extending the functionality of an otherwise easy-to-use CMS but it also comes with own set of vulnerabilities. If you’ve been using WordPress CMS for a while, this isn’t something new to you.
In addition, the researchers at Sucuri and MalwareBytes claim that hackers are exploiting vulnerabilities in outdated themes and plugins. And the outdated Simple Social Buttons plugin is on top of their list.
According to the stats on WordPress.org, the free version of this plugin is currently installed on more than 40,000 WordPress sites, making them vulnerable to this severe security bug.
Thus, the website owners who have this plugin installed must update it as quickly as possible.