Social Warfare <= 3.5.2 – Unauthenticated Arbitrary Settings Update

  exploits
Description
Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field. When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval() is still in the database. The plugin has been pulled from the WordPress repository. https://wordpress.org/support/topic/malware-into-new-update/ So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.