During a security research I found an authenticated Stored XSS and an RCE vulnerability. The name of the plugin is: Ad Injection, the version of the affected plugin: < 1.2.0.19

Description

The plugin does not properly sanitize the body of the adverts injected into the pages, 
allowing a high privileged user (Admin+) to inject arbitrary HTML or 
javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code,  
leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

POC


- On the left colum go to Settings > Ad Injection.

- In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload:

For RCE:

<?php system('id'); ?>

Alternatively for XSS:

<img src onerror=alert(/XSS/)> 

Additional information

WPSCAN link: https://wpscan.com/vulnerability/3c5a7b03-d4c3-46b9-af65-fb50e58b0bfd

NIST CVSS SCORE: 7.2

NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2022-0661

Plugin is closed.