Luka Šikić, a developer and researcher at WordPress security company WebARX, discovered the security problem last week and told the plugin’s author about the problem. Fix wordpress malware redirect hack with these steps. In a report published today, he described the problem as “an improper application design flow chained with a lack of permission checks.” He says an attacker who can register new accounts on a site can use this vulnerability to make changes to the main settings of a WordPress site, outside what the plugin was originally intended to manage. These changes can allow an attacker to install backdoors or take over admin accounts to take over sites. Šikić showed in a demo video he posted on YouTube today how dangerous the vulnerability is by changing the email address associated with the admin account of a WordPress site. Šikić says last week he notified WPBrigade, the company behind the plugin, and a day after his report they released a patch. Users are advised to install version 2.0.22 of Simple Social Buttons, released on February 8 last Friday. Because of its consequences, the problem should not be taken lightly. Some sites are protected against this vulnerability inherently, as their admins have already blocked user registration for security reasons. However, sites that allow users to register to post comments on blog posts are vulnerable to attacks and should be used as soon as possible to update the plugin. You may use the following free web scanning tool to know the issue directly. Here is the steps to fix admin login hack issue. According to statistics from the official WordPress Plugins repository, the plugin has been installed on more than 40,000 websites, making it an attractive target for WordPress botnet operators.