wp-plugin : wordpress-social-login – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wordpress-social-login


Effected Version : 2.0.3 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Updated on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4576

Plugin Description :
Using WordPress Social Login, your blog's users will be able to login and comment with social networks such as Twitter, Facebook, Google and Yahoo.

WordPress Social Login also allows you to import users contact list from Google Gmail, Facebook, Windows Live and LinkedIn.

WordPress Social Login gives you absolute control over users access to your website and comes with a painfully long list of rules and restrictions for you to setup.

Free, unlimited and white-label 
Licenced under MIT License, WordPress Social Login available to everyone for completely free, with all features included, at absolutely no cost. You are free to use a WordPress Social Login in commercial websites as long as the copyright header is left intact. Built on top of an Open Source Library
HybridAuth Library enable developers to easily build social applications to engage websites vistors and customers on a social level by implementing social signin, social sharing, users profiles, friends list, activities stream, status updates and more. 23 supported social netwroks
Depending on the audience you're targeting, you can choose from a wide variety of providers and services including: Social networks, Microblogging platforms, Professional networks, Media, Photo sharing, Programmers and Gamers networks. Easy to customize and integrate
WordPress Social Login come with a simple but flexible and fully customizable authentication widget. And if you are a developer or designer then you can customize it to your heart's content, changing the css and icons is a matter of seconds. Even more features are planned
The coming release

Leave a Reply

Your email address will not be published. Required fields are marked *