# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in
Unite Gallery Lite Wordpress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite Wordpress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command ('SQL
Injection')[CWE-89]
# Affected Versions: v1.4.6 and possibly below.
# Tested versions: v1.4.6
# Fixed Version: v1.5
# Link to code diff:
https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
# CVE Status: New & Unassigned
## Product Information:
The Unite Gallery is all in one image and video gallery for WordPress.
## Vulnerability Description:
The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible
to CSRF. Additionally, the following parameters were found to be
susceptible to SQLi -
Form submitted to /wp-admin/admin-ajax.php:
- data[galleryID]
Form submitted to /wp-admin/admin.php:
- galleryid
- id
## Proof of Concept:
CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6
CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6
CSRF - Create Gallery
CSRF + SQLi - Update Gallery
CSRF - Add Items
CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)
CSRF + SQLi - Action buttons
## Solution:
Upgrade to v1.5 or higher
## Disclosure Timeline:
2015-06-06 - Discovered. Reported to developer.
2015-06-10 - Updated version released.
2015-07-25 - Publishing disclosure on FD mailing list
## Disclaimer:
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.