A vulnerability was discovered in the WordPress Kiwi Social Sharing plugin by NinTechNet that allows unauthenticated options to change/read.
Kiwi Social Share allows you to easily add buttons to social networks such as Facebook, Twitter, LinkedIn, Pinterest, and Flint.
NinTechNet reports that hackers exploited a vulnerability in the Kiwi Social Sharing plugin back in 2018. It allows unauthenticated attackers to modify (and read) the configuration of any WordPress option in the database to, for example, enable registration, set the user’s default role to administrator, or alter the value of site URL in order to redirect traffic to a malicious website. A patch for this vulnerability was released on November 12, 2018
Based on the plugin’s revision log, it appears that the security fix was undone in version 2.1.0, released on January 20.
On April 15, 2021, the WordPress Plugin Team was informed of the vulnerability, and a new version 2.1.3 of the plugin was released on May 28.
In version 2.1.3, the WordPress Kiwi Social Sharing plugin (with 10,000+ active installations) published a fix that addressed this critical vulnerability that could have been exploited by unauthenticated users.
Make sure your WordPress Kiwi Social Sharing plugin is updated to the latest version (at least 2.1.3) to keep your website safe from attacks.