Tittle:
WordPress Plugin Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting

References:
CVE-2022-0901

Author:
Taurus Omar 

Description:
The plugins do not sanitise and escape the REQUEST_URI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters

Affects Plugins:
ad-inserter
ad-inserter-pro 
Fixed in version 2.7.12

Proof of Concept:
In a browser which does not encode characters: 
https://example.com/wp-admin/options-general.php?page=ad-inserter.php&start=2&tab=\"><iframe/onload=alert(1)></iframe> 

Classification
Type XSS 
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79

wpScan:
https://wpscan.com/vulnerability/85582b4f-a40a-4394-9834-0c88c5dc57ba