CVE-2022-0661

CVE-2022-0661: Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE

Vendor Unknown
Product Ad Injection
Weakness CWE-94 · Code injection
Published April 18, 2022
Last update August 2, 2024

CVSS base score

What the vulnerability does

01Description

The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

Key dates

02Disclosure timeline

April 18, 2022 CVE published
August 2, 2024 Record updated