Ad Injection <= 1.2.0.19 – Admin+ Stored Cross-Site Scripting & RCE | CVE 2022-0661 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

Proof of Concept

- On the left colum go to Settings > Ad Injection.
- In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload:

For RCE:
<?php system('id'); ?>

Alternatively for XSS:
<img src onerror=alert(/XSS/)>

Affects Plugins

No known fix

References

CVE

URL

https://www.hackpertise.com/cve/33-cve-2022-0661/

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

3c5a7b03-d4c3-46b9-af65-fb50e58b0bfd

Timeline

Publicly Published

2022-03-22 (about 2 years ago)

Added

2022-03-22 (about 2 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2023-11-13

Title

Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext

Published

2024-03-13

Title

WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution

Published

2014-08-01

Title

Zingiri Web Shop <= 2.2.3 - ajax_file_cut.php selectedDoc Parameter Remote PHP Code

Published

2022-02-08

Title

PHP Everywhere < 3.0.0 - Contributor+ RCE via Metabox

Published

2018-12-10

Title

WooCommerce <= 3.4.5 - Authenticated Phar Deserialization