Hello,

Plugin: GigPress 2.3.10 https://wordpress.org/plugins/gigpress/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=gigpress-tours&gpaction=edit&tour_id=[VALID_TOUR_ID]&gp-page=[xss]

Vulnerable parameters: gp-page

Please note that attacker needs know valid tour_id for exploitation.

Example PHP callstack:

gigpress_tours   [/gigpress/admin/tours.php:53]

Verification (tour_id=1):

Potential similarr XSS (with same parameter gp-page) are also found in:

gigpress_venues()

gigpress_admin_shows()

2. Blind SQL injection

Authenticated users (like editors) can execute arbitrary sql commands (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=gigpress-shows&sort=[sqli]

Vulnerable parameters: sort, limit

Example PHP callstack:

gigpress_admin_shows   [/gigpress/admin/shows.php:119]

wpdb::get_results 

Verification: