CVE-2019-9978

Warnung

Exploit

EPSS 73.54%
Veröffentlicht 24.03.2019 15:29:00
Zuletzt bearbeitet 07.11.2025 19:33:51
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Mögliche Gegenmaßnahme

Social Sharing Plugin – Social Warfare: Update to version 3.5.3, or a newer patched version

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 16

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Warfareplugins ≫ Social Warfare SwPlatformwordpress Version < 3.5.3

Warfareplugins ≫ Social Warfare Pro SwPlatformwordpress Version < 3.5.3

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Social Sharing Plugin – Social Warfare

Version [*, 3.5.3)

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability

Schwachstelle

WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	73.54%	0.994

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html

Third Party Advisory

Exploit

https://twitter.com/warfareplugins/status/1108852747099652099

Third Party Advisory

https://wordpress.org/plugins/social-warfare/#developers

Product

https://wpvulndb.com/vulnerabilities/9238

Third Party Advisory

Broken Link

https://www.cybersecurity-help.cz/vdb/SB2019032105

Third Party Advisory

Exploit

https://www.exploit-db.com/exploits/46794/

Third Party Advisory

VDB Entry

https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/

Third Party Advisory

Exploit

https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/

Third Party Advisory

http://seclists.org/fulldisclosure/2025/Jun/1

Mailing List

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978

US Government Resource

https://www.wordfence.com/threat-intel/vulnerabilities/id/2fca8dba-9fe7-4ce1-8903-589e42e5604d

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-9978

CVE Source (NVD)