{"id":"CVE-2019-9978","details":"The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.","modified":"2026-04-10T04:21:03.960393Z","published":"2019-03-24T15:29:00.243Z","references":[{"type":"WEB","url":"https://wordpress.org/plugins/social-warfare/#developers"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9978"},{"type":"ADVISORY","url":"https://twitter.com/warfareplugins/status/1108852747099652099"},{"type":"ADVISORY","url":"https://wpvulndb.com/vulnerabilities/9238"},{"type":"ADVISORY","url":"https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/46794/"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2025/Jun/1"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html"},{"type":"EVIDENCE","url":"https://www.pluginvulnerabilities.com/2019/03/21/full-disclosure-of-settings-change-persistent-cross-site-scripting-xss-vulnerability-in-social-warfare/"},{"type":"EVIDENCE","url":"https://www.cybersecurity-help.cz/vdb/SB2019032105"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/152722/Wordpress-Social-Warfare-Remote-Code-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/warfare-plugins/social-warfare-pro","events":[{"introduced":"0"},{"fixed":"20d9ee2a588f4a1f220eb8eab7156547453cded7"},{"introduced":"0"},{"fixed":"20d9ee2a588f4a1f220eb8eab7156547453cded7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.5.3"},{"introduced":"0"},{"fixed":"3.5.3"}]}}],"versions":["2.2.0","2.2.1","2.2.10","2.2.11","2.2.2","2.2.3","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","3.3.2","3.3.3","3.4.1","3.4.2","3.5.0","3.5.1","3.5.2","v2.2.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9978.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}