The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
- On the left colum go to Settings > Ad Injection.
- In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload:
For RCE:
<?php system('id'); ?>
Alternatively for XSS:
<img src onerror=alert(/XSS/)> Asif Nawaz Minhas
Asif Nawaz Minhas
Yes
2022-03-22 (about 1 years ago)
2022-03-22 (about 1 years ago)
2023-04-12 (about 1 months ago)