Malware into new update!

We found out about this just over 2 hours ago and started working frantically on a solution. We have now patched both the vulnerability and have made it so that any affected sites will be automatically fixed immediately upon installing 3.5.3. We just published this version about 10 minutes ago that will immediately fix this issue. It won’t be available until WordPress reviews the new version and reactivates the plugin.

In the mean time, you can get the fixed version directly from our website here:
https://warfareplugins.com/updates/social-warfare/social-warfare.zip

We are super upset and distressed about this, as I’m sure you can all imagine. Hackers suck and it’s horrible that we live in a world where people do this. But at the end of the day, it was still our fault for having the vulnerability for them to be able to take advantage of. We’re more sorry about this whole ordeal than any of you could possibly imagine, and we’re thankful for a lot of the support and wonderful kindness that the vast majority of you have sent our way during this.

On the afternoon of March 21, 2019, we were made aware of Zero-Day vulnerability affecting websites using the Social Warfare plugin.

Our development team has submitted Social Warfare V3.5.3 to the WordPress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your WordPress dashboard and apply this update as soon as possible.

You can also manually download and install these updates directly via these links:

Social Warfare:
https://warfareplugins.com/updates/social-warfare/social-warfare.zip

Social Warfare Pro:
https://warfareplugins.com/updates/social-warfare-pro/social-warfare-pro.zip

If you are not able to immediately apply this update we recommend that you disable Social Warfare and Social Warfare Pro until you can apply the V3.5.3 update.

Do we need to delete something in database table? Are the malicious eval() is still in the database after installed new updated plugin or we need to delete manual that malicious eval? If we need to delete it can you tell us how to do that?

No, our fix deletes it for you.

Hi! I’m closing this topic for a few reasons.

1. The original poster is a premium user. While they can leave a review here, as that’s allowed for upsell plugins like this one, premium users can’t post for support here. That’s not allowed.

   https://www.ads-software.com/support/guidelines/#do-not-post-about-commercial-products

2. This topic is a pile on. I’ve archived the replies. Some of the replies were just plain venting and more than a little pissed off. That’s understandable to a point but not productive or for these forums.

   If you legitimately need help, if you are are not a customer of this plugin, if you are a user of the plugin from the WordPress repo then you can start your own topic for help.

   https://www.ads-software.com/support/plugin/social-warfare/#new-post

   That’s how these forums work. If you need support then per the forum guidelines please start your own topic.

   https://www.ads-software.com/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

3. If you are a customer then contact the author on their own site. Not here.

4. This plugin has been updated with the fix. If you have not already, update now.

5. If you are concerned that you’ve been hacked then give this a read to delouse your WordPress installation.

   https://www.ads-software.com/support/article/faq-my-site-was-hacked/

   When you have successfully deloused your site then consider giving this a read too.

   https://www.ads-software.com/support/article/hardening-wordpress/

6. If you do leave a review then USE YOUR WORDS. Being upset is understandable but no one here is anyone’s punching bag. Keep it to the facts and leave name calling out of it.

*Re-reads.*

I’ll be surprised if the formatting works but that’s it for this topic and post.