Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field. When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval() is still in the database. The plugin has been pulled from the WordPress repository. https://wordpress.org/support/topic/malware-into-new-update/ So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.
threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
twitter.com/warfareplugins/status/1108826025188909057
wordpress.org/support/topic/malware-into-new-update/
www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/