The exploit demonstrates a SQL injection vulnerability in 4images <= 1.7.13 via the 'orderby' parameter in admin/validateimages.php, which can be escalated to execute arbitrary JavaScript in the admin's browser session, leading to CSRF token bypass and administrator account addition.
Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target:4images <= 1.7.13
Auth required
Prerequisites:Valid user account · Image upload permissions · Admin session active