#Exploit Title: CM Ad Changer Plugin XSS #Date: 9/6/2016 #Exploit Author: Aaditya Purani #Author Homepage: https://aadityapurani.com #Vendor Homepage: https://ad-changer.cminds.com #Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip (Updated) #Version: 1.7.7 #Tested on: Wordpress 4.5.2 #Category: Web applications Description: An Stored Cross Site Scripting was reported by me to CM Ad Plugins under which an Unprivileged user can Trigger a Stored XSS to perform malicious action or any attacker could send a Crafted link which can trigger Stored XSS Steps to Produce: 1) Go to CM Ad changers -> Campaigns 2) Create a Campaign. Enter whatever you want in Campaign settings, in the next tab "Campaign Banners", select an Image in Campaign images and in Banner Title enter this payload 3) Enter Save & Payload triggers everytime you Return. Attacker Can Make a Payload File containing the following:

Click The button below. POC By Aaditya Purani:: CM AD Changer 1.7.7

This will Trigger Stored XSS at banner_title Parameter. It has been fixed and Version 1.7.8 Released on 9th June Visit Here: https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes ---------Timeline---------- 1st June : Reported to Vendor Creative Minds 3rd June: Additional Information provided 6th June: Team will able to reproduce 7th June: Fix and confirmed by me 9th June: Publically Fix released & Changelog updated 1.7.8 Regards, Aaditya Purani # Iranian Exploit DataBase = http://IeDb.Ir [2016-06-24]