6.1

CVE-2019-9978

Warnung
Exploit

Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
Mögliche Gegenmaßnahme
Social Sharing Plugin – Social Warfare: Update to version 3.5.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Social Sharing Plugin – Social Warfare
Version [*, 3.5.3)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WarfarepluginsSocial Warfare SwPlatformwordpress Version < 3.5.3
WarfarepluginsSocial Warfare Pro SwPlatformwordpress Version < 3.5.3

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability

Schwachstelle

WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 87.51% 0.994
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://wpvulndb.com/vulnerabilities/9238
Third Party Advisory
Broken Link
https://www.exploit-db.com/exploits/46794/
Third Party Advisory
VDB Entry