wp-plugin : all-in-one-social-lite – SSRF/XSPA


Plugin Details


Plugin Name : all-in-one-social-lite


Effected Version : 1.0 (and most probably lower version's if any)

Vulnerability : SSRF/XSPA
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


For the purpose of demonstration we used scanme.nmap.org where port 80 and 22 are open and 21 is closed.

1. Test for Open port 80 :

The “in_index” Key value is “true” for Open ports(Check- OpenPort80.png)

2. Test for Open NON HTTP Ports (like SSH, FTP, SMTP etc) :

The “in_index” Key value is “true” for Open ports(Check OpenPort22.png)


3. Test for Closed Port 21:

The “in_index” Key value is “false” for Open ports(Check ClosedPort21.png)



Disclosure Timeline


Vendor Contacted : 2013-12-15

Plugin Status : Closed
Public Disclosure : May 28, 2014
CVE Number : Not assigned yet

Plugin Description :
All in One Social Lite is a simple plugin to show social trends. Once the plugin is installed, it creates a widget which is responsive and suits to any wordpress themes.

Plugin allows you to show either the total number of social shares or total number of followers. Here we list the features of the plugin:

- Displays data from facebook, twitter, google plus, linkedin, stumpleupon. More will be added in next version
- Allows user to enter the follower count of all services manually
- Option to hide widget in non single pages
- Users can enable or disable any services

Please use our [central support forum](http://cube3x.com/forums "Support Forum") if you have any questions, bugs or feature requirement.

[Click here to view live demo](http://cube3x.com/demo/crater/ "All in One Social Lite Demo")

[Like](http://facebook.com/cube3x "Our Facebook Page") or [follow](http://twitter.com/cube3x "Our Twitter Page") us to receive live updates

Leave a Reply

Your email address will not be published. Required fields are marked *