← voltar
CVE-2019-9978

CVE-2019-9978

CVSS 6.1 MEDIUMEPSS 73.5%● KEVCWE-79
Em resumo

Um plugin do WordPress chamado Social Warfare tem uma falha que permite que atacantes armazenem código malicioso em um parâmetro específico, que depois é executado quando administradores visitam certas páginas. Isso permite que atacantes roubem credenciais de admin ou tomem controle do site.

Detalhe técnico

Vulnerabilidade de XSS armazenado no plugin Social Warfare versões anteriores à 3.5.3, explorável através do parâmetro swp_url em wp-admin/admin-post.php?swp_debug=load_options. O ataque requer acesso ao endpoint vulnerável; o payload malicioso persiste no armazenamento e executa nos navegadores dos administradores, podendo levar ao roubo de sessão ou ações administrativas não autorizadas.

Resumo gerado e traduzido por IA a partir da descrição oficial.
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Produtos afetados
n/a · n/a
PoCs públicas encontradas21
githubgithub.com/hash3liZer/CVE-2019-997821githubgithub.com/mpgn/CVE-2019-99788githubgithub.com/KTN1990/CVE-2019-99786githubgithub.com/yup-Ivan/CVE-2019-99784githubgithub.com/grimlockx/CVE-2019-99784githubgithub.com/d3fudd/CVE-2019-9978_Exploit3githubgithub.com/echoosso/CVE-2019-99781githubgithub.com/aktia1/MegaQuagga_Pentesting_Report0githubgithub.com/h8handles/CVE-2019-9978-Python30githubgithub.com/0xMoonrise/cve-2019-99780githubgithub.com/MAHajian/CVE-2019-99780githubgithub.com/Housma/CVE-2019-9978-Social-Warfare-WordPress-Plugin-RCE0githubgithub.com/Vaidehim55/CVE-2019-9978-RCE-PoC0githubgithub.com/B4ntGrim/Vuln_Exploitation_MegaQuagga_Pentest0githubgithub.com/B4ntGrim/Vuln_Remediation_MegaQuagga0githubgithub.com/cved-sources/cve-2019-99780exploitdbwww.exploit-db.com/exploits/46794não verificadocve_referencepacketstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlnão verificadocve_referencewww.exploit-db.com/exploits/46794/não verificadoexploitdbwww.exploit-db.com/exploits/52346não verificadocve_referencepacketstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlnão verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlhttps://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlhttp://seclists.org/fulldisclosure/2025/Jun/1https://twitter.com/warfareplugins/status/1108852747099652099https://wordpress.org/plugins/social-warfare/#developershttps://wpvulndb.com/vulnerabilities/9238https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978https://www.cybersecurity-help.cz/vdb/SB2019032105https://www.exploit-db.com/exploits/46794/https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/