Ad Injection <= 1.2.0.19 – Admin+ Stored Cross-Site Scripting & RCE | CVE 2022-0661 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

Proof of Concept

- On the left colum go to Settings > Ad Injection.
- In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload:

For RCE:
<?php system('id'); ?>

Alternatively for XSS:
<img src onerror=alert(/XSS/)>

Affects Plugins

No known fix

References

CVE

URL

https://www.hackpertise.com/cve/33-cve-2022-0661/

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

3c5a7b03-d4c3-46b9-af65-fb50e58b0bfd

Timeline

Publicly Published

2022-03-22 (about 3 years ago)

Added

2022-03-22 (about 3 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2024-10-13

Title

Contact Form by Supsystic < 1.7.29 - Authenticated (Admin+) Remote Code Execution

Published

2025-09-22

Title

AWP Classifieds <= 4.4.3 - Unauthenticated Arbitrary Shortcode Execution

Published

2021-03-04

Title

WooCommerce Upload Files < 59.4 - Unauthenticated Arbitrary File Upload

Published

2015-05-21

Title

Custom Content Type Manager <= 0.9.8.5 - Remote Code Execution

Published

2014-08-01

Title

EZPZ One Click Backup <= 12.03.10 - Unauthenticated Command Execution