# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6 # Submitter: Nitin Venkatesh # Product: Unite Gallery Lite Wordpress Plugin # Product URL: https://wordpress.org/plugins/unite-gallery-lite/ # Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')[CWE-89] # Affected Versions: v1.4.6 and possibly below. # Tested versions: v1.4.6 # Fixed Version: v1.5 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite # Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/ # CVE Status: New & Unassigned ## Product Information: The Unite Gallery is all in one image and video gallery for WordPress. ## Vulnerability Description: The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible to CSRF. Additionally, the following parameters were found to be susceptible to SQLi - Form submitted to /wp-admin/admin-ajax.php: - data[galleryID] Form submitted to /wp-admin/admin.php: - galleryid - id ## Proof of Concept: CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6

CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6

CSRF - Create Gallery

CSRF + SQLi - Update Gallery

CSRF - Add Items

CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)

CSRF + SQLi - Action buttons

## Solution: Upgrade to v1.5 or higher ## Disclosure Timeline: 2015-06-06 - Discovered. Reported to developer. 2015-06-10 - Updated version released. 2015-07-25 - Publishing disclosure on FD mailing list ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.