If you are using the Social Warfare plugin on any child sites (including the pro version of the plugin), deactivate the plugin on any child sites and wait for an update to be released. Wordfence has more about the issue in the plugin, which states that it is a stored Cross-Site Scripting (XSS) vulnerability. Sucuri also put out a post about the specific issue. Wordfence has updated the original post to include more information about the attack and what exactly was happening.
The plugins downloads have been temporarily closed at WordPress.org. The only other information about the issue is that the plugin when active is causing malware and/or sites to redirect. The issue is effecting live sites on versions 3.5.1 and 3.5.2. The current version of the plugin is 3.5.4.
On the afternoon of March 21, 2019, we were made aware of Zero-Day vulnerability affecting websites using the Social Warfare plugin.
Our development team has submitted Social Warfare V3.5.3 to the WordPress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your WordPress dashboard and apply this update as soon as possible.
You can also manually download and install these updates directly via these links:
Social Warfare Pro
If you are not able to immediately apply this update we recommend that you disable Social Warfare and Social Warfare Pro until you can apply the V3.5.3 update.
Version 3.5.4 of the plugin has been updated on WordPress.org, so the recommended action is to update Social Warfare as soon as possible. Any malicious eval() option values will be deleted in the plugin update.
The WP-CLI command to update the plugin is;.
Wordfence published an additional post about the other vulnerability that was discovered in version 3.5.2 of the plugin, which was allowed remote code execution (RCE)