g0blin Research: WP Gallery Bank - Best Gallery Albums Plugin 2.0.26

WP Gallery Bank - Best Gallery Albums Plugin 2.0.26 - 3.0.69, Reflected XSS

The output of an un-sanitized QSA string allows injection of arbitrary content on the WordPress admin panel. Quotes are escaped with slashes before being output, so the attacker must take this in to account when generating a payload.

Homepage

https://wordpress.org/plugins/gallery-bank/changelog/

CVSS Score

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 3.0.70

Proof of Concept

If a user who has administrative access – and is already logged in – can be tricked into visiting a specifically crafted link, then arbitrary JS can be executed. The below example will trigger an alert box upon visiting the page.

http://localhost/wp-admin/admin.php?page=gallery_album_sorting&order_id={}%3C/style%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,34,46,34,41%29%29%3C/script%3E%3Cstyle%3E

Timeline

2014-10-10: Discovered
2014-10-10: Reported to vendor
2014-10-11: Vendor responded, 3.0.70 released, issue resolved
2014-10-13: CVE requested
2014-10-14: CVE assigned
2014-10-18: Advisory released