WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# CVE : 2019-16117

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


# POC

1.    In Add Gallery/Images tab 
2.    Edit current image gallery
3.    In Alt/Title or Description text area add XSS payload e.g;
<script>alert(1);</script>

4.    Click Save and preview.
5.    It will show pop-up confirming existence of XSS vulnerability 

# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117