WordPress CM Ad Changer plugin version 1.7.2 suffers from multiple cross site scripting vulnerabilities.
0e299b1da211c516c4fe7bf2343d8e5cc837b4ab5a77b90b236816e14876df7c
## FULL DISCLOSURE
#Product : cm-ad-changer
#Exploit Author : Rahul Pratap Singh
#Version :1.7.2
#Home page Link : https://wordpress.org/plugins/cm-ad-changer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
Following parameters are not sanitized that leads to XSS Vulnerability.
title, comment, link
----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: testfiles/cm-ad-changer/backend/views/admin_settings.php
Found at line:61
<input type="checkbox" name="acs_active" id="acs_active" value="1" <?php
echo ($fields_data['acs_active'] == '1' ? 'checked=checked' : '') ?> />
Found at line:73
<textarea id="acs_custom_css" name="acs_custom_css" rows=7 value="<?php
echo stripslashes($fields_data['acs_custom_css']) ?>"><?php echo
stripslashes($fields_data['acs_custom_css']) ?></textarea>
File Name: testfiles/cm-ad-changer/backend/views/admin_campaigns.php
Found at line:96
<textarea value="<?php echo (isset($fields_data['comment']) ?
stripslashes($fields_data['comment']) : '') ?>" name="comment"
id="comment"><?php echo (isset($fields_data['comment']) ?
stripslashes($fields_data['comment']) : '') ?></textarea>
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/04/cm-ad-changer-xss-poc.png
https://0x62626262.files.wordpress.com/2016/04/cm-ad-changer-xss-poc1.png
Fix:
Update to 1.7.6
Vulnerability Disclosure Timeline:
→ March 14, 2016 – Bug discovered, initial report to Vendor.
→ March 22, 2016 – No Response. Report sent again.
→ March 23, 2016 – WordPress Acknowledged.
→ April 21, 2016 – Full Disclosure.
Pub Ref:
https://0x62626262.wordpress.com/2016/04/21/cm-ad-changer-xss-vulnerability/
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/