Unrated severityCISA KEVNVD Advisory· Published Mar 24, 2019· Updated Oct 21, 2025

CVE-2019-9978

Description

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/46794/mitreexploitx_refsource_EXPLOIT-DB
packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.htmlmitrex_refsource_MISC
packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.htmlmitrex_refsource_MISC
blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.htmlmitrex_refsource_MISC
twitter.com/warfareplugins/status/1108852747099652099mitrex_refsource_MISC
wordpress.org/plugins/social-warfare/mitrex_refsource_MISC
wpvulndb.com/vulnerabilities/9238mitrex_refsource_MISC
www.cybersecurity-help.cz/vdb/SB2019032105mitrex_refsource_MISC
www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/mitrex_refsource_MISC
www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.070
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000