Major WordPress Exploit Affecting Sites with Shareaholic Social Media Sharing Plugin

A major exploit has been discovered in the popular WordPress plugin Shareaholic earlier this month that has left some websites with spam from being hacked through the exploit, with many more sites that re vulnerable.

Shareaholic is one of the two most popular social media sharing WordPress plugins, with over 100,000 active installs with AddThis being the other.

The exploit itself is through XSS scripting that can be done by anyone with a login to the WordPress website – even just basic users. And while many WordPress blogs not openly soliciting registrations, they haven’t disabled accounts from being created, leaving them vulnerable to this exploit.

Shareaholic updated their plugin to fix the exploit, so be sure you are running the current version, especially if you do not update your plugins automatically.  You need to be running 7.6.1.0 or higher to fix the vulnerability, which was fixed on February 27, 2015,  Shareaholic posted about the issue on their blog, but there is no mention on their WordPress plugin page about it being an issue, unless you dig into the changelog file.

When you update, it is also worth double checking to ensure the monetization options you have disabled (which essentially allow Shareaholic to include their own advertisements, with some users seeing their own ads replaced by Shareaholic’s own ads) haven’t been re-enabled with the update.

There have been several exploits discovered recently in several popular WordPress plugins over the last few months, including SEO by Yoast, Fancybox-for-Wordpress and Revslider Premium Plugin. It is worth reminding those that use WordPress that they should regularly update all their plugins, especially for the most popular ones.

While it is unclear if it has happened for this particular plugin, if Google notices the hacked content resulting from exploits on a webpage, they will alert you in Google webmasters tools, as well including an alert in the search results for the site stating ”this site may be hacked”.

The following two tabs change content below.

• Bio
• Latest Posts

Jennifer Slegg

Founder & Editor at The SEM Post

Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.

Latest posts by Jennifer Slegg (see all)

• 2022 Update for Google Quality Rater Guidelines – Big YMYL Updates - August 1, 2022
• Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
• Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
• New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
• Google Updates Experiment Statistics for Quality Raters - October 6, 2020