CVE-2019-9978 Information

Description

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html https://twitter.com/warfareplugins/status/1108852747099652099 https://wordpress.org/plugins/social-warfare/developers https://wpvulndb.com/vulnerabilities/9238 https://www.cybersecurity-help.cz/vdb/SB2019032105 https://www.exploit-db.com/exploits/46794/ https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/ https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/ The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1