CVE-2019-9978

Name of the Vulnerable Software and Affected Versions Social Warfare plugin versions prior to 3.5.3 Social Warfare Pro versions prior to 3.5.3

Description The issue is related to stored XSS via the swp url parameter in the wp-admin/admin-post.php?swp debug=load options endpoint. This has been exploited in the wild in March 2019. The vulnerability exists due to inadequate protection of the webpage structure, allowing a remote attacker to perform cross-site scripting attacks.

Recommendations For Social Warfare plugin versions prior to 3.5.3, update to version 3.5.3 or later. For Social Warfare Pro versions prior to 3.5.3, update to version 3.5.3 or later. As a temporary workaround, consider restricting access to the wp-admin/admin-post.php?swp debug=load options endpoint until a patch is applied. Avoid using the swp url parameter in the affected endpoint until the issue is resolved.