wp-plugin : fixedly – A3-Cross-Site Scripting (XSS)
Plugin Details
Plugin Name : fixedly
Effected Version : 1.3.1 (and most probably lower version's if any)
Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
http://localhost/wp-content/plugins/fixedly/pages/create_template_page.php?template_id="><script>alert(document.cookie)</script>&
Vulnerable Parameter : template_id
Type of XSS : Reflected
Disclosure Timeline
Vendor Contacted : 2014-01-04
Plugin Description :
Fixedly Media Gallery is WordPress plugin that can help you create and integrate, easily and quickly your next video, image or slideshow gallery into your pages and posts. Within 3 easy steps you can create and insert a gallery to your next post. Check out our [Screencast page](http://www.fixedly.net/screencasts/ "Screencast page") to learn more on how to use the plugin. Be sure that you have `` function included into your WordPress theme header file otherwise the Fixedly Media Gallery won't work. = Shortag = [fixedly-media-gallery] = Options = * *id* - the ID of the gallery you want to insert (**required**) * *template_id* - overwrite the default gallery template (optional) (e.g. if you would like to have same gallery on different pages with different template style) 1 - default, 2 - default_thumbnails, 3 - content_left, 4 - content_right, 5 - content_top, 6 - content_bottom, 7 - content_left_thumbnails, 8 - content_right_thumbnails, 9 - gallery = Examples = `[fixedly-media-gallery id="1"]` `[fixedly-media-gallery id="1" template_id="4"]` = PHP Code = Here is the code if you want to add the gallery directly into your PHP templates. `` Another way to add gallery into your PHP templates is by using the `` function. ``