CVE-2023-4773 in Social Login Plugin
Summary
by MITRE • 09/06/2023
The WordPress Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wordpress_social_login_meta' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The WordPress Social Login plugin represents a widely adopted solution for enabling social media authentication on WordPress websites, allowing users to log in using their existing social media accounts. This plugin facilitates seamless user authentication by integrating with popular platforms such as Facebook, Google, Twitter, and others, thereby reducing the burden of managing multiple login credentials. However, the vulnerability identified in version 3.0.4 and earlier versions exposes a critical weakness in the plugin's security architecture that could be exploited by malicious actors within the WordPress environment.
The technical flaw resides in the improper handling of user-supplied attributes within the 'wordpress_social_login_meta' shortcode implementation. Specifically, the plugin fails to adequately sanitize input data and escape output content before rendering it on web pages. This deficiency creates a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into the plugin's shortcode parameters. The vulnerability affects all user roles with contributor-level permissions and above, which is particularly concerning since contributors often have significant access to website content and can modify posts, pages, and media files.
The operational impact of this vulnerability extends beyond simple script injection, as it enables authenticated attackers to execute arbitrary web scripts in the context of any user who accesses a page containing the maliciously injected content. This stored XSS vulnerability can be exploited to steal session cookies, perform unauthorized actions on behalf of users, redirect visitors to malicious websites, or even escalate privileges within the WordPress environment. Attackers could craft malicious shortcodes that, when embedded in posts or pages, would execute upon page load, potentially compromising multiple users who access those pages.
The vulnerability aligns with CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly sanitize user input before it is rendered in web applications. This weakness is particularly dangerous in WordPress environments where contributors and higher-level users often have the ability to modify content, creating a vector for persistent attacks that can affect numerous website visitors. From an ATT&CK perspective, this vulnerability maps to T1566.002: Phishing via Social Media, as attackers can leverage the social login functionality to deliver malicious payloads through compromised social media accounts.
Mitigation strategies should begin with immediate plugin updates to version 3.0.5 or later, which contain the necessary patches to address the input sanitization and output escaping deficiencies. Administrators should also implement strict content validation policies and consider role-based access controls that limit the ability of lower-level users to inject content that could affect other users. Additionally, implementing content security policies and regular security audits of installed plugins can help prevent similar vulnerabilities from being exploited in the future. Organizations should also consider implementing web application firewalls to detect and block potential XSS attack vectors.