Photo Gallery by Supsystic [Privilege Escalation]


This is based on an issue first reported here

The problem occurs because plugin implements a dynamic way to call classes and methods. The entry point of the exploitaion is AJAX action grid-gallery. This is a privileged action so it is only available to authenticated users. Even so, a user with basic privileges (like a subscriber) could exploit this vulnerability to perform a number of actions provided by the plugin and normally would only be accesible to users with administrative privileges.

The AJAX action grid-gallery calls the \GridGallery_Ajax_Module::handle() method which in turn calls the \GridGallery_Ajax_Handler::handle() and this one based on if this is a POST or GET request calls the \GridGallery_Ajax_Handler::handleRequest() method passing the appropriate parameters.

Method \GridGallery_Ajax_Handler::handleRequest():

public function handleRequest(Rsc_Http_Parameters $method)
    /** @var Rsc_Mvc_Module $module */
    if (!$method->has('route')) {
        return false;

    $route = $method->get('route');
    $module = (isset($route['module']) ? $route['module'] : $this->environment->getConfig()->get('default_module'));
    $action = (isset($route['action']) ? $route['action'] : 'index');

    if (null !== $module = $this->environment->getModule(strtolower($module))) {
        $controller = $module->getController();

        if ($controller !== null && method_exists($controller, $action = sprintf('%sAction', $action))) {
            return call_user_func_array(array($controller, $action), array($controller->getRequest()));

    return false;

As of version 1.8.6 this method includes nonce and capabilities check, so this exploit is mitigated.


In this exploit we use a set of different actions and controllers in order to create a new gallery, upload an image, assign image to the gallery, edit gallery details (and more specifically image caption) to inject an XSS payload.

See exploit/exploit.php


Update to v1.8.6