Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk.
The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. An attacker can use these vulnerabilities to run arbitrary PHP code and gain control the website and server, without authentication.