Social Warfare Plugin Vulnerability Temp Deactivate Now

Social Warfare Plugin Vulnerability

If you are using the Social Warfare plugin on any child sites (including the pro version of the plugin), deactivate the plugin on any child sites and wait for an update to be released. Wordfence has more about the issue in the plugin, which states that it is a stored Cross-Site Scripting (XSS) vulnerability.  Sucuri also put out a post about the specific issue. Wordfence has updated the original post to include more information about the attack and what exactly was happening.

The plugins downloads have been temporarily closed at The only other information about the issue is that the plugin when active is causing malware and/or sites to redirect. The issue is effecting live sites on versions 3.5.1 and 3.5.2. The current version of the plugin is 3.5.4.

The developers of the Social Warfare plugin are aware of the zero-day exploit and a new release 3.5.3 should be updated on in the next hour, if not sooner.

On the afternoon of March 21, 2019, we were made aware of Zero-Day vulnerability affecting websites using the Social Warfare plugin.

Our development team has submitted Social Warfare V3.5.3 to the WordPress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your WordPress dashboard and apply this update as soon as possible.

You can also manually download and install these updates directly via these links:

Manage all your WordPress sites with the MainWP Dashboard

WordPress Management for Professionals

Are you ready to go Pro?

All MainWP Pro Extensions are available through one of our convenient bundled packages.

Social Warfare

Social Warfare Pro

If you are not able to immediately apply this update we recommend that you disable Social Warfare and Social Warfare Pro until you can apply the V3.5.3 update.

Version 3.5.4 of the plugin has been updated on, so the recommended action is to update Social Warfare as soon as possible. Any malicious eval() option values will be deleted in the plugin update.

The WP-CLI command to update the plugin is;.

wp plugin update social-warfare

Wordfence published an additional post about the other vulnerability that was discovered in version 3.5.2 of the plugin, which was allowed remote code execution (RCE)

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Looking for something?

Your Download Is Just One Click Away

…or just download the plugin.

By entering your email, you agree to our Terms of Service and Privacy Policy.