A Cross-Site Scripting vulnerability was found in the Tribulant Slideshow Galleries WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on Tribulant Slideshow Galleries WordPress Plugin version 1.6.3.
A fix for this issue is not available.
A reflected cross site scripting vulnerability exists in the plugin Slideshow Galleries. This issue is due to to the fact that the view/admin/galleries/index.php file uses the following code to output an HREF link:
"<a href="<?php echo GalleryHtmlHelper::retainquery('orderby=id&order=' .(($orderby == "id") ? $otherorder : "asc")); ?>">"
The above code fails to perform any output encoding on the retainquery method, thus allowing the tag to be closed and to inject a script element: /wp-admin/admin.php?page=slideshow-galleries&method=save"><script>alert(1)<%2fscript>pwned
Please note that this particular method is called another 19 times in the project. This indicates that more similar vulnerabilities could exist in the code.