A major exploit has been discovered in the popular WordPress plugin Shareaholic earlier this month that has left some websites with spam from being hacked through the exploit, with many more sites that re vulnerable.

Shareaholic is one of the two most popular social media sharing WordPress plugins, with over 100,000 active installs with AddThis being the other.

The exploit itself is through XSS scripting that can be done by anyone with a login to the WordPress website – even just basic users. And while many WordPress blogs not openly soliciting registrations, they haven’t disabled accounts from being created, leaving them vulnerable to this exploit.

Shareaholic updated their plugin to fix the exploit, so be sure you are running the current version, especially if you do not update your plugins automatically.  You need to be running 7.6.1.0 or higher to fix the vulnerability, which was fixed on February 27, 2015,  Shareaholic posted about the issue on their blog, but there is no mention on their WordPress plugin page about it being an issue, unless you dig into the changelog file.

When you update, it is also worth double checking to ensure the monetization options you have disabled (which essentially allow Shareaholic to include their own advertisements, with some users seeing their own ads replaced by Shareaholic’s own ads) haven’t been re-enabled with the update.

There have been several exploits discovered recently in several popular WordPress plugins over the last few months, including SEO by Yoast, Fancybox-for-Wordpress and Revslider Premium Plugin. It is worth reminding those that use WordPress that they should regularly update all their plugins, especially for the most popular ones.

While it is unclear if it has happened for this particular plugin, if Google notices the hacked content resulting from exploits on a webpage, they will alert you in Google webmasters tools, as well including an alert in the search results for the site stating ”this site may be hacked”.