wp-plugin : social-connect – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : social-connect


Effected Version : 1.0.4 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Updated on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4551

Plugin Description :
Social Connect adds social login buttons on the login, register and comment forms of your WordPress site.

The buttons offer login and registration using a Twitter, Facebook, Google, Yahoo or WordPress.com account.

It makes it super easy for new members to register with your site and existing members to login.

= Props =

Special thanks to:

* [markusdrake](http://wordpress.org/support/profile/markusdrake) for patches and helping in the support forums;
* [L D](http://wordpress.org/support/profile/enochfung) for patches and helping in the support forums;
* [Geodanny](http://wordpress.org/support/profile/geodanny) for helping in the support forums; and
* [Wirone](http://blog.wirone.info/) for polish translation and patches.

And everyone else in the forums sharing the fixes they find and answering each others questions.

= Contribute =

Social Connect is rapidly growing in popularity and help with the growing pains is appreciated.

If you're a developer, you can contribute fixes & optimisations via [Social Connect on GitHub](https://github.com/thenbrent/social-connect).

Everyone can help out by answering questions in the [Support Forums](http://wordpress.org/tags/social-connect?forum_id=10#postform).

Leave a Reply

Your email address will not be published. Required fields are marked *