All-in-One Video Gallery <= 4.7.1 - Reflected Cross-Site Scripting via 'vi' Parameter

This plan outlines the steps to research and exploit a Reflected Cross-Site Scripting (XSS) vulnerability in the All-in-One Video Gallery WordPress plugin (version 4.7.1).

1. Vulnerability Summary

• Vulnerability: Reflected Cross-Site Scripting (XSS)
• Parameter: vi (GET parameter)
• Affected Versions: <= 4.7.1
• Cause: The plugin fails to sufficiently sanitize or escape the vi query parameter when rendering it back onto the page, typically within a gallery or video player context.
• Sink: The value is likely reflected into a JavaScript variable or a hidden input field used to track the currently active video in a gallery.

2. Attack Vector Analysis

• Endpoint: Any public-facing page containing an All-in-One Video Gallery shortcode (e.g., [aiovg_video], [aiovg_videos], or [aiovg_gallery]) or the default video archive/single pages.
• Payload Carrier: URL Query Parameter vi.
• Authentication: Unauthenticated (PR:N).
• Preconditions:
  1. The plugin must be active.
  2. At least one video (aiovg_videos post type) should exist to ensure gallery/player components render.
  3. A page must exist that displays a gallery or player.

3. Code Flow (Inferred)

1. Request Handling: A user accesses a URL like http://wp-dist.dev.local/?aiovg_videos=1&vi=PAYLOAD.
2. Shortcode Processing: The plugin's shortcode handler (likely in public/ files, not provided but inferred from blocks/blocks.php references to shortcode fields) executes.
3. Input Acquisition: The code retrieves the value using $_GET['vi'].
4. Template Rendering: The plugin generates HTML/JavaScript to handle video navigation. It uses the vi value to identify which video to highlight or play.
5. Vulnerable Sink: The value is echoed without esc_attr(), esc_js(), or esc_html().
   • Candidate Sink A (JavaScript): var current_video = '<?php echo $_GET['vi']; ?>';
   • Candidate Sink B (HTML Attribute): <div class="aiovg" data-vi="<?php echo $_GET['vi']; ?>">

4. Nonce Acquisition Strategy

Reflected XSS via a GET parameter in the public frontend typically does not require a nonce. Nonces in WordPress are primarily used for state-changing operations (CSRF protection). Since this is a reflection during page generation, the vi parameter is treated as a navigation state and is usually processed before any nonce check would occur.

Verification Step: If the agent encounters a 403 Forbidden or a "nonce check failed" message, it should search the page source for localized variables (e.g., aiovg_ajax or aiovg_vars) using browser_eval("window.aiovg_ajax").

5. Exploitation Strategy

The goal is to demonstrate script execution by breaking out of the context where vi is reflected.

1. Discovery Phase:

   • Navigate to a gallery page with a unique canary: ?vi=XSS_CANARY_123.
   • View page source and locate XSS_CANARY_123.
   • Identify the surrounding context (e.g., inside <script> tags, inside a value="" attribute, or as raw text).

2. Payload Crafting:

   • Context: HTML Attribute (e.g., value="PAYLOAD")
     • Payload: "><script>alert(document.domain)</script>
   • Context: JavaScript String (e.g., var id = 'PAYLOAD';)
     • Payload: ';alert(document.domain);//

3. Execution Phase:

   • Use the http_request tool to send a GET request to the target page with the crafted vi parameter.
   • Use browser_navigate to the URL to confirm the script executes in a real browser environment.

6. Test Data Setup

Before testing, the environment must be prepared:

1. Create a Video Post:

   wp post create --post_type=aiovg_videos --post_title="Test Video" --post_status=publish
   

2. Create a Gallery Page:

   wp post create --post_type=page --post_title="Gallery" --post_content='[aiovg_videos]' --post_status=publish
   

3. Identify the URL: The page will likely be at http://wp-dist.dev.local/gallery/.

7. Expected Results

• Discovery: The string XSS_CANARY_123 is found in the response body.
• Exploitation: When visiting the URL with the payload, the browser should execute the JavaScript.
• Response Body Snippet (Example):

  <div class="aiovg-player" data-params='{"vi":"><script>alert(document.domain)</script>", ...}'>
  

8. Verification Steps

1. HTTP Check: Use http_request to fetch the page with the payload and verify that the payload characters (like < and >) are NOT HTML-encoded in the sink.

   # Example logic for agent
   resp = http_request("http://wp-dist.dev.local/gallery/?vi=\"><script>alert(1)</script>")
   if "\"><script>alert(1)</script>" in resp['body']:
       print("Vulnerability Confirmed: Unescaped reflection found.")
   

2. Browser Execution: Use browser_navigate and check for an alert dialog or a side effect (like writing to window.hacked = 1).

9. Alternative Approaches

If [aiovg_videos] does not reflect the parameter, try other shortcodes or default archive pages:

• Archive Page: http://wp-dist.dev.local/aiovg_videos/?vi=PAYLOAD
• Search Page: The plugin provides a search widget/block. Use the search form and check if vi is reflected in the search results URL or hidden fields.
• Breadcrumbs: Check if the plugin uses vi to build breadcrumb links on single video pages.