CVE-2019-9978
CVE-2019-9978
In short
A WordPress plugin called Social Warfare has a flaw where attackers can store malicious code in a specific parameter, which then gets executed when administrators view certain pages. This allows attackers to steal admin credentials or take control of the website.
Technical detail
Stored XSS vulnerability in Social Warfare plugin versions before 3.5.3, exploitable via the swp_url parameter in wp-admin/admin-post.php?swp_debug=load_options. Attack requires administrative access to the vulnerable parameter endpoint; malicious payload persists in storage and executes in admin browsers, potentially leading to session hijacking or unauthorized administrative actions.
Summary generated and translated by AI from the official description.
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/apublic PoCs found — 21
githubgithub.com/hash3liZer/CVE-2019-9978★ 21githubgithub.com/mpgn/CVE-2019-9978★ 8githubgithub.com/KTN1990/CVE-2019-9978★ 6githubgithub.com/yup-Ivan/CVE-2019-9978★ 4githubgithub.com/grimlockx/CVE-2019-9978★ 4githubgithub.com/d3fudd/CVE-2019-9978_Exploit★ 3githubgithub.com/echoosso/CVE-2019-9978★ 1githubgithub.com/aktia1/MegaQuagga_Pentesting_Report★ 0githubgithub.com/h8handles/CVE-2019-9978-Python3★ 0githubgithub.com/0xMoonrise/cve-2019-9978★ 0githubgithub.com/MAHajian/CVE-2019-9978★ 0githubgithub.com/Housma/CVE-2019-9978-Social-Warfare-WordPress-Plugin-RCE★ 0githubgithub.com/Vaidehim55/CVE-2019-9978-RCE-PoC★ 0githubgithub.com/B4ntGrim/Vuln_Exploitation_MegaQuagga_Pentest★ 0githubgithub.com/B4ntGrim/Vuln_Remediation_MegaQuagga★ 0githubgithub.com/cved-sources/cve-2019-9978★ 0exploitdbwww.exploit-db.com/exploits/46794unverifiedcve_referencepacketstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46794/unverifiedexploitdbwww.exploit-db.com/exploits/52346unverifiedcve_referencepacketstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlhttps://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlhttp://seclists.org/fulldisclosure/2025/Jun/1https://twitter.com/warfareplugins/status/1108852747099652099https://wordpress.org/plugins/social-warfare/#developershttps://wpvulndb.com/vulnerabilities/9238https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978https://www.cybersecurity-help.cz/vdb/SB2019032105https://www.exploit-db.com/exploits/46794/https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/