Vulnerability Details CVE-2022-0661
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.183
EPSS Ranking 94.9%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 6.5
References
Products affected by CVE-2022-0661
-
cpe:2.3:a:ad_injection_project:ad_injection:-
-
cpe:2.3:a:ad_injection_project:ad_injection:1.2.0.19