CVE-2019-9978
CVE-2019-9978
Vexday Risk Score
85Corrigir agora
Decisão SSVC (CISA)
Act
Exploração + impacto → ação imediata
CVSS 6.1EPSS 73.5%KEV simPoC públicaPatch —
Ciclo de vida
24 mar 2019Publicada no NVD
25 mar 2019PoC pública
03 nov 2021Exploração ativa (CISA KEV)
Recomendação: Corrigir o quanto antes — há exploração ativa confirmada.
Em resumo
Um plugin do WordPress chamado Social Warfare tem uma falha que permite que atacantes armazenem código malicioso em um parâmetro específico, que depois é executado quando administradores visitam certas páginas. Isso permite que atacantes roubem credenciais de admin ou tomem controle do site.
Detalhe técnico
Vulnerabilidade de XSS armazenado no plugin Social Warfare versões anteriores à 3.5.3, explorável através do parâmetro swp_url em wp-admin/admin-post.php?swp_debug=load_options. O ataque requer acesso ao endpoint vulnerável; o payload malicioso persiste no armazenamento e executa nos navegadores dos administradores, podendo levar ao roubo de sessão ou ações administrativas não autorizadas.
Resumo gerado e traduzido por IA a partir da descrição oficial.
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Produtos afetados
n/a · n/aPoCs públicas encontradas — 21
githubgithub.com/hash3liZer/CVE-2019-9978★ 21githubgithub.com/mpgn/CVE-2019-9978★ 8githubgithub.com/KTN1990/CVE-2019-9978★ 6githubgithub.com/yup-Ivan/CVE-2019-9978★ 4githubgithub.com/grimlockx/CVE-2019-9978★ 4githubgithub.com/d3fudd/CVE-2019-9978_Exploit★ 3githubgithub.com/echoosso/CVE-2019-9978★ 1githubgithub.com/aktia1/MegaQuagga_Pentesting_Report★ 0githubgithub.com/h8handles/CVE-2019-9978-Python3★ 0githubgithub.com/0xMoonrise/cve-2019-9978★ 0githubgithub.com/MAHajian/CVE-2019-9978★ 0githubgithub.com/Housma/CVE-2019-9978-Social-Warfare-WordPress-Plugin-RCE★ 0githubgithub.com/Vaidehim55/CVE-2019-9978-RCE-PoC★ 0githubgithub.com/B4ntGrim/Vuln_Exploitation_MegaQuagga_Pentest★ 0githubgithub.com/B4ntGrim/Vuln_Remediation_MegaQuagga★ 0githubgithub.com/cved-sources/cve-2019-9978★ 0exploitdbwww.exploit-db.com/exploits/46794não verificadocve_referencepacketstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlnão verificadocve_referencewww.exploit-db.com/exploits/46794/não verificadoexploitdbwww.exploit-db.com/exploits/52346não verificadocve_referencepacketstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlnão verificado⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.
Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlhttps://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlhttp://seclists.org/fulldisclosure/2025/Jun/1https://twitter.com/warfareplugins/status/1108852747099652099https://wordpress.org/plugins/social-warfare/#developershttps://wpvulndb.com/vulnerabilities/9238https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978https://www.cybersecurity-help.cz/vdb/SB2019032105https://www.exploit-db.com/exploits/46794/https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/