During a security research I found an authenticated Stored XSS and an RCE vulnerability. The name of the plugin is: Ad Injection, the version of the affected plugin: < 126.96.36.199
- On the left colum go to Settings > Ad Injection. - In the section Adverts: Top ad (below post title - this is not a 'header' ad) use the following payload: For RCE: <?php system('id'); ?> Alternatively for XSS: <img src onerror=alert(/XSS/)>
NIST CVSS SCORE: 7.2
Plugin is closed.