Ad Inserter < 2.7.11 – Admin+ RCE / Stored XSS | Plugin Vulnerabilities

Description

The plugin does not make any security checks regarding the PHP and JS code in blocks, allowing high privilege users such as admin to execute commands on the underlying OS as well as perform Stored Cross-Site Scripting attacks even in multisite blogs and hardened ones.

Proof of Concept

1. Go to Settings -> Ad Inserter (/wp-admin/options-general.php?page=ad-inserter.php)
2. Turn "Process PHP code in block" on (The PHP icon on the top right side of a block)
3. Enter the following code in the block:
        <?php system('id'); ?>
        <img src onerror=alert(/XSS/)>
4. Click "Save Setting"
5. Click Preview to trigger the XSS and and the output of the PHP code: e.g  uid=33(www-data) gid=33(www-data) groups=33(www-data)

Affects Plugins

Fixed in 2.7.11

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website

https://vict0ni.me

Submitter twitter

Verified

Yes

WPVDB ID

134ff1be-b80b-4cfa-9a7c-db4300a2a8d2

Timeline

Publicly Published

2022-02-03 (about 3 years ago)

Added

2022-02-03 (about 3 years ago)

Last Updated

2022-02-03 (about 3 years ago)

Other

Published

Title

Published

2025-07-16

Title

Alone <= 7.8.3 - Unauthenticated Remote Code Execution

Published

2024-09-24

Title

Special Text Boxes < 6.2.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-08-14

Title

Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call

Published

2024-03-13

Title

Multiple Page Generator Plugin – MPG < 3.4.1 - Authenticated (Editor+) Remote Code Execution

Published

2024-10-14

Title

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.122 - Authenticated (Editor+) Remote Code Execution