WordPress Plugin Vulnerabilities
Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE
Description
The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
Proof of Concept
- On the left colum go to Settings > Ad Injection. - In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload: For RCE: <?php system('id'); ?> Alternatively for XSS: <img src onerror=alert(/XSS/)>
Affects Plugins
References
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-22 (about 2 years ago)
Added
2022-03-22 (about 2 years ago)
Last Updated
2023-04-12 (about 1 years ago)