wp-plugin : wp-social-invitations – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wp-social-invitations


Effected Version : (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


Vulnerable Parameter : xhrurl


Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=848497%40wp-social-invitations&old=829444%40wp-social-invitations&sfp_email=&sfph_mail=#file239


Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Updated on 2014-01-30
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4597

Plugin Description :
Allow your visitors to invite friends of their social networks such as Facebbok, Twitter, Foursquare Google, Yahoo, Hotmail and more directly into your Wordpress site. This plugin works perfectly with Buddypress and Invite Anyone Plugin.

Check the [wsi demo](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)

Full documentation available in [our site](http://wp.timersys.com/wordpress-social-invitations/docs/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)

= Currently Supported Providers =

Facebook, Twitter, Linkedin, Foursquare, Yahoo, Live, Gmail

= Features =

* HTML emails
* Template system to edit visuals or add your branding
* Invitations Queue to handle the different API limits
* Sidebar widget for sidebars
* Predefined invitation messages
* Custom CSS
* Translation ready
* Documentation

= Premium version =

* Content locker - Share you content only to users that invited their friends by using a simple shortcode
* MyCRED & Cubepoints integration
* Bypass registration lock- To use the plugin on private sites that works with invitation only
* Facebook uses SEND DIALOG
* Linkedin delivers private messages instead of posting into user status
* Twitter delivers Private messages instead of posting a tweet
* Predefined invitations can't be edited by users
* Redirect users after they send invitations
* Change order of providers
* Free Support

Get the premium version on [http://wp.timersys.com/wordpress-social-invitations/](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi)

= Translations Credits =

* Spanish - Eruedados Colombia
* Serbo/Croatian - Borisa Djuraskovic

Leave a Reply

Your email address will not be published. Required fields are marked *