Three of the 1,000 most popular plugins in the WordPress Plugin Directory were closed on Saturday and all three contain vulnerabilities. With the plugin Social Login, Social Sharing by miniOrange (WordPress Social Login (Facebook, Google, Twitter)) what immediately stood out as we started doing a quick check of its security is that the code looks incredibly insecure, so the vulnerability we are disclosing may not be the most serious and certainly doesn’t look like it is the only one.

While our Plugin Security Checker flags the possibility of a reflected cross-site scripting (XSS) vulnerability, which in a quick glance seems to exist, that would take more time to look into than something else that we came across. When changing the plugin’s settings there is no check for a valid nonce, so an attacker could cause a logged in Administrator to change the settings without intending it, otherwise known as cross-site request forgery (CSRF). That cSocial Login, Social Sharing by miniOrangean be used to cause malicious JavaScript code to be shown on the plugin’s admin page (and possibly on frontend pages), which is cross-site scripting (XSS). [Read more]