WordPress site owners who are using the Simple Social Buttons plugin to support social media sharing features should update the plugin as soon as possible to plug a security hole that can be exploited to take over sites.
Luka Šikić, a developer and researcher at WordPress security firm WebARX, discovered the security issue last week and reported the problem to the plugin's author.
In a report published today, he described the issue as an "improper application design flow, chained with lack of permission check."
He says that an attacker who can register new accounts on a site can exploit this vulnerability to make modifications to a WordPress site's main settings, outside to what the plugin was initially meant to manage.
These modifications can allow an attacker to take over sites by installing backdoors or taking over admin accounts.
In a demo video he posted on YouTube today, Šikić showed how dangerous the vulnerability is by changing the email address associated with a WordPress site's admin account.
Read more: WordPress plugin flaw lets you take over entire sites | ZDNet