CVE-2022-0661

Public Exploit

Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE

Description

The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

References

Link	Tags
https://wpscan.com/vulnerability/3c5a7b03-d4c3-46b9-af65-fb50e58b0bfd	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2022-0661?: CVE-2022-0661 has been scored as a high severity vulnerability.
How to fix CVE-2022-0661?: To fix CVE-2022-0661, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-0661 being actively exploited in the wild?: It is possible that CVE-2022-0661 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~18% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-0661?: CVE-2022-0661 affects Unknown Ad Injection.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions