CVE-2023-4773 - Exploiting Stored XSS in WordPress Social Login Plugin (<= 3..4)

CVE-2023-4773 is a serious security vulnerability found in the popular WordPress plugin, Social Login, affecting versions up to 3..4. This bug allows attackers with contributor permissions or above to inject malicious Javascript into posts or pages, putting site visitors at risk every time they visit an infected page. In this article, we'll break down the vulnerability in plain English, show how it can be exploited, and provide a code example for better understanding.

What is the Vulnerability?

The WordPress Social Login plugin lets visitors register and log in with accounts from social sites like Facebook or Google. The danger comes from the way the plugin handles a shortcode called wordpress_social_login_meta. This shortcode fails to properly sanitize (clean) and escape user-supplied attributes.

Result: An attacker with at least contributor access can add arbitrary Javascript to a post—once the post is published, that JS runs for anyone viewing the page.

Who Can Exploit This?

- Anyone with "Contributor" role or higher, since they are allowed to submit posts containing shortcode.

- Attackers can

- Steal sessions/cookies

Proof of Concept (Working Example)

Suppose an attacker is logged in as a contributor. They create a new post using the vulnerable shortcode, like so:

[wordpress_social_login_meta data='"><script>alert("XSS by CVE-2023-4773")</script>']

This sneaky code closes the attribute quote and injects Javascript. When a user visits the post, they see an alert pop up—proving the code’s execution:

!XSS Proof - Dialog Box
*Visualization: Script runs on page load.*

Why Does This Work?

Normally, WordPress plugins must clean (sanitize) user input and escape output so that anything entered as data is NOT run as code. Versions ≤ 3..4 of Social Login *do not* do this enough for the attributes of this shortcode.

The plugin code (simplified) may do something like this

function render_social_login_meta( $atts ) {
    $data = $atts['data'];
    // ... then later echoes this directly ...
    echo "<span data-info='$data'></span>";
}

If $data contains malicious Javascript, it will end up inside the HTML, executed by browsers.

References

- Wordfence Advisory: Social Login Plugin – Authenticated Stored Cross-Site Scripting via Shortcode
- WPScan Report CVE-2023-4773
- Official Plugin on WP.org

How to Protect Your WordPress Site

- Upgrade immediately. Update the Social Login plugin to the latest safe version (here).

Limit contributor permissions. Don’t give users unnecessary privileges.

- Scan your site for suspicious shortcodes or Javascript using tools like WPScan or Wordfence.

Final Words

CVE-2023-4773 is an example of why even low-privileged users can pose a risk to WordPress websites if plugins are vulnerable. Always keep plugins up-to-date and review newly added content for suspicious code if you suspect a breach.

By understanding and acting on vulnerabilities like this, you keep your website—and your visitors—much safer.

Stay secure!

*This post is for educational purposes only. Always use security knowledge responsibly and never attack websites without explicit permission.*

Timeline

Published on: 09/06/2023 04:15:17 UTC
Last modified on: 11/07/2023 04:22:57 UTC