CVE-2019-9978
published 2019-03-24CVE-2019-9978: The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in…
PriorityP183medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
73.54%
99.4th percentile
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| warfareplugins | social_warfare | < 3.5.3 | 3.5.3 |
| warfareplugins | social_warfare_pro | < 3.5.3 | 3.5.3 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; fast_pattern; pcre:"/^https?:\/\//R"; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:3; metadata:affected_product Wordpress_Plugins, created_at 2019_05_03, cve CVE_2019_9978, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_28;)
- →Detect exploitation attempts by monitoring HTTP GET requests to /wp-admin/admin-post.php with both swp_debug=load_options and swp_url= parameters present in the URI.
- →Presence of the Social Warfare plugin can be fingerprinted via the readme.txt file; check for vulnerable versions 3.5.0–3.5.2.
- →The webshell payload dropped by in-the-wild attackers uses eval($_REQUEST['wpaa']); hunt for this string in web server logs and PHP files.
- →FOFA/Shodan fingerprint for exposed vulnerable instances: body contains both 'social-warfare' and 'wp-'.
- ·The exploit is unauthenticated — no WordPress login is required to trigger either the RCE or Stored XSS, so authentication-based controls will not block exploitation. ↗
- ·Both vulnerabilities (RCE and Stored XSS) are present in Social Warfare versions 3.5.0–3.5.2 only; version 3.5.3 contains the fix. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gfx2-wv94-38hv: The social-warfare plugin before 3
ghsa_unreviewed·2022-05-13
CVE-2019-9978 [MEDIUM] CWE-79 GHSA-gfx2-wv94-38hv: The social-warfare plugin before 3
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
VulnCheck
WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
vulncheck·2019·CVSS 6.1
CVE-2019-9978 [MEDIUM] CWE-79 WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.
Affected: WordPress Social Warfare Plugin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2019-9978; https://www.cve.org/CVERecord?id=CVE-2019-9978; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2019-9978; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-27&host_type
CISA
WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
cisa·2021-11-03·CVSS 6.1
CVE-2019-9978 [MEDIUM] CWE-79 WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
Vulnerability: WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability
Affected: WordPress Social Warfare Plugin
WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-9978
Remediation Due Date: 2022-05-03
Suricata
ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)
suricata·2019-05-03·CVSS 6.1
CVE-2019-9978 [MEDIUM] ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)
ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; fast_pattern; pcre:"/^https?:\/\//R"; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:3; metadata:affected_product Wordpress_Plugins, created_at 2019_05_03, cve CVE_2019_9978, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_28;)
Exploit-DB
Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
exploitdb·2025-06-26·CVSS 6.1
CVE-2019-9978 [MEDIUM] Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
---
#!/usr/bin/env python3
# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
# Date: 25-06-2025
# Exploit Author: Huseyin Mardini (@housma)
# Original Researcher: Luka Sikic
# Original Exploit Author: hash3liZer
# Vendor Homepage: https://wordpress.org/plugins/social-warfare/
# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip
# Version: ) appears to no longer work as intended in many modern environments
# Usage:
# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP.
# 2. Run the script: `python3 exploit.py`
# 3. It will:
# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE)
# - Start
Exploit-DB
WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution
exploitdb·2019-05-03·CVSS 6.1
CVE-2019-9978 [MEDIUM] WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution
WordPress Plugin Social Warfare ] Sending Payload to System!"
exploit = EXPLOIT( options.target, options.payload )
exploit.engage()
if __name__ == "__main__":
main()
Nuclei
WordPress Social Warfare <3.5.3 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-9978 [MEDIUM] WordPress Social Warfare <3.5.3 - Cross-Site Scripting
WordPress Social Warfare <3.5.3 - Cross-Site Scripting
WordPress Social Warfare plugin before 3.5.3 contains a cross-site scripting vulnerability via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, affecting Social Warfare and Social Warfare Pro.
Template:
id: CVE-2019-9978
info:
name: WordPress Social Warfare <3.5.3 - Cross-Site Scripting
author: madrobot,dwisiswant0
severity: medium
description: WordPress Social Warfare plugin before 3.5.3 contains a cross-site scripting vulnerability via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, affecting Social Warfare and Social Warfare Pro.
impact: |
Attackers can execute arbitrary scripts in admin context, potentially leading to session hijacking or privilege escalation.
remediation: |
Update to
Dfir Report
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
blogs_dfir_report·2023-12-18
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
blogs_unit42·2019-04-22·CVSS 6.1
CVE-2019-9978 [MEDIUM] Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
Qi Deng
Zhibin Zhang
Hui Gao
Published: April 22, 2019
Threat Research
Vulnerabilities
CVE-2019-9978
Social Warfare Plugin
WordPress
On 21 March, researchers disclosed two vulnerabilities in Social Warfare , a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978 . Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were foun
Unit42
Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
blogs_unit42·2019-04-22·CVSS 6.1
CVE-2019-9978 [MEDIUM] Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
On 21 March, researchers disclosed two vulnerabilities in Social Warfare, a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978. Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3. An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital
http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlhttps://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlhttps://twitter.com/warfareplugins/status/1108852747099652099https://wordpress.org/plugins/social-warfare/#developershttps://wpvulndb.com/vulnerabilities/9238https://www.cybersecurity-help.cz/vdb/SB2019032105https://www.exploit-db.com/exploits/46794/https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2025/Jun/1https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlhttps://twitter.com/warfareplugins/status/1108852747099652099https://wordpress.org/plugins/social-warfare/#developershttps://wpvulndb.com/vulnerabilities/9238https://www.cybersecurity-help.cz/vdb/SB2019032105https://www.exploit-db.com/exploits/46794/https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978
2019-03-24
Published
2021-11-03
Added to CISA KEV
Exploited in the wild