CVE-2022-32776: Stored Cross-Site Scripting (XSS) Vulnerability in Advanced Ads – Ad Manager & AdSense Plugin <= 1.31.1 on WordPress

A new vulnerability, CVE-2022-32776, has been discovered in the Advanced Ads GmbH Advanced Ads – Ad Manager & AdSense plugin for WordPress, which could allow an authenticated user with admin or higher privileges to perform a Stored Cross-Site Scripting (XSS) attack. This article will provide a detailed insight into this vulnerability along with its exploit, relevant code snippets, and links to original references. The vulnerability has been found in version 1.31.1 and lower of the plugin.

Vulnerability Details

Stored Cross-Site Scripting (XSS) is a type of web security vulnerability that enables an attacker to inject malicious scripts into a web page viewed by other users. In this case, the vulnerability allows an authenticated user with administrative or higher privileges to inject malicious code into the ad parameters, which will be executed when a user views the affected ad.

The vulnerability arises due to improper validation and sanitization of user inputs in the ad parameters of the plugin. An attacker can exploit this flaw to execute arbitrary JavaScript code in the user's browser, leading to possible cookie theft, session hijacking, or redirection to malicious websites.

Exploit Details

To exploit this vulnerability, the attacker must have admin or higher privileges on the targeted WordPress website. The attacker can inject malicious JavaScript code into the ad parameters section while creating or editing an ad in the Advanced Ads – Ad Manager & AdSense plugin.

Below is a simple example of a payload that can be used to exploit this vulnerability

<script>alert("XSS Vulnerability");</script>

Once injected into the ad parameters, this code will execute when a user views the ad containing this payload, causing the browser to display an alert with the text "XSS Vulnerability."

Code Snippet

The code snippet below demonstrates the improper validation and sanitization of user inputs in the ad parameters in the plugin:

// Function to save the ad parameters into the database
function save_ad_parameters($ad_id, $ad_parameters) {    
    // Vulnerable code: lack of input validation and sanitization
    update_post_meta($ad_id, '_parameters', $ad_parameters);
}

This code is responsible for saving the ad parameters – including the injected JavaScript payload – into the database. Note the lack of input validation or sanitization before the update_post_meta function is called.

Mitigation

Advanced Ads GmbH has released a patch in version 1.31.2 of the plugin, which addresses this vulnerability. It is highly recommended for users to update their plugin to the latest version as soon as possible.

To further mitigate this risk, website administrators can implement Content Security Policy (CSP) headers designed to prevent the execution of inline JavaScript code on their websites.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32776
- NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2022-32776
- WordPress Plugin Repository: https://wordpress.org/plugins/advanced-ads/

Conclusion

CVE-2022-32776 is a Stored Cross-Site Scripting (XSS) vulnerability in the Advanced Ads – Ad Manager & AdSense plugin for WordPress. It allows an admin-level authenticated user to inject malicious JavaScript code into ad parameters, which could lead to cookie theft, session hijacking, or redirection to malicious websites for the affected users. Users of version 1.31.1 and lower are advised to update their plugin to the latest version and implement additional security measures such as Content Security Policy headers.

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 14:27:00 UTC