CVE-2021-4362
📋 TL;DR
The Kiwi Social Share WordPress plugin version 2.1.0 has an authorization bypass vulnerability that allows unauthenticated attackers to read and modify arbitrary WordPress options. This can lead to complete site takeover by modifying critical settings like administrator credentials. All WordPress sites using the vulnerable plugin version are affected.
💻 Affected Systems
- Kiwi Social Share WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise - attackers can create administrator accounts, modify site configuration, inject malicious code, or redirect visitors to malicious sites.
Likely Case
Site defacement, data theft, or malware injection through modified WordPress settings and plugin configurations.
If Mitigated
Limited impact if proper network segmentation and web application firewalls block unauthorized AJAX requests.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.1.0 (update to latest version)
Vendor Advisory: https://wordpress.org/plugins/kiwi-social-share/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Kiwi Social Share plugin
4. Click 'Update Now' to update to latest version
5. Verify plugin is updated to version after 2.1.0
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or block access to the vulnerable kiwi_social_share_get_option AJAX action
Add to theme's functions.php or custom plugin:
add_action('init', function() {
remove_action('wp_ajax_kiwi_social_share_get_option', 'kiwi_social_share_get_option');
remove_action('wp_ajax_nopriv_kiwi_social_share_get_option', 'kiwi_social_share_get_option');
});
Web Application Firewall rule
allBlock requests to the vulnerable AJAX endpoint
WAF rule to block: POST requests containing 'action=kiwi_social_share_get_option' in URL or body
🧯 If You Can't Patch
- Immediately disable the Kiwi Social Share plugin via WordPress admin or by renaming the plugin directory
- Implement strict network access controls to limit AJAX requests to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Kiwi Social Share version. If version is exactly 2.1.0, you are vulnerable.Check Version:
wp plugin list --name='kiwi-social-share' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is updated to later than 2.1.0 and test that unauthorized AJAX requests to the endpoint return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with 'action=kiwi_social_share_get_option' from unauthenticated users
- Unusual option updates in WordPress database from non-admin users
Network Indicators:
- Unusual AJAX requests to WordPress admin-ajax.php endpoint with kiwi_social_share_get_option parameter from external IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*action=kiwi_social_share_get_option*" AND user="-"🔗 References
- https://blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability/
- https://wordpress.org/plugins/kiwi-social-share/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8148b6d0-190a-4b97-8af7-edd6943116d1?source=cve
- https://blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability/
- https://wordpress.org/plugins/kiwi-social-share/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8148b6d0-190a-4b97-8af7-edd6943116d1?source=cve
