CVE-2019-9978 - OpenCVE

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Warfareplugins	Social Warfare Pro Social Warfare

Configuration 1 [-]

OR	cpe:2.3:a:warfareplugins:social_warfare::::::wordpress::*
	cpe:2.3:a:warfareplugins:social_warfare_pro::::::wordpress::*

References

Link	Resource
http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html
https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html	Exploit Third Party Advisory
https://twitter.com/warfareplugins/status/1108852747099652099	Third Party Advisory
https://wordpress.org/plugins/social-warfare/#developers	Product Third Party Advisory
https://wpvulndb.com/vulnerabilities/9238	Third Party Advisory
https://www.cybersecurity-help.cz/vdb/SB2019032105	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/46794/	Third Party Advisory VDB Entry
https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/	Exploit Third Party Advisory
https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-03-24T14:47:26

Updated: 2021-07-27T16:06:12

Reserved: 2019-03-24T00:00:00

Link: CVE-2019-9978

JSON object: View

NVD Information

Status : Modified

Published: 2019-03-24T15:29:00.243

Modified: 2021-07-30T14:15:12.840

Link: CVE-2019-9978

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-27T16:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9238"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cybersecurity-help.cz/vdb/SB2019032105"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/social-warfare/#developers"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/warfareplugins/status/1108852747099652099"}, {"name": "46794", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46794/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9978", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wpvulndb.com/vulnerabilities/9238", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9238"}, {"name": "https://www.cybersecurity-help.cz/vdb/SB2019032105", "refsource": "MISC", "url": "https://www.cybersecurity-help.cz/vdb/SB2019032105"}, {"name": "https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html", "refsource": "MISC", "url": "https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html"}, {"name": "https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/", "refsource": "MISC", "url": "https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/"}, {"name": "https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/", "refsource": "MISC", "url": "https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/"}, {"name": "https://wordpress.org/plugins/social-warfare/#developers", "refsource": "MISC", "url": "https://wordpress.org/plugins/social-warfare/#developers"}, {"name": "https://twitter.com/warfareplugins/status/1108852747099652099", "refsource": "MISC", "url": "https://twitter.com/warfareplugins/status/1108852747099652099"}, {"name": "46794", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46794/"}, {"name": "http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9978", "datePublished": "2019-03-24T14:47:26", "dateReserved": "2019-03-24T00:00:00", "dateUpdated": "2021-07-27T16:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:warfareplugins:social_warfare:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "83C18979-2FA0-41FD-937B-D36626C39424", "versionEndExcluding": "3.5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:warfareplugins:social_warfare_pro:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "36C5708C-0DF3-4426-BEDE-4E8B94AA36BD", "versionEndExcluding": "3.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro."}, {"lang": "es", "value": "El plugin social-warfare, en versiones anteriores a la 3.5.3 para WordPress, tiene Cross-Site Scripting (XSS) persistente mediante el par\u00e1metro swp_url en wp-admin/admin-post.php?swp_debug=load_options, tal y como se explot\u00f3 \"in the wild\" en marzo de 2019. Esto afecta a Social Warfare y Social Warfare Pro."}], "id": "CVE-2019-9978", "lastModified": "2021-07-30T14:15:12.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-24T15:29:00.243", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/warfareplugins/status/1108852747099652099"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/social-warfare/#developers"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9238"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.cybersecurity-help.cz/vdb/SB2019032105"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46794/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}