• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Reflected XSS in Advanced Ads Admin Dashboard

March 17, 2020Antony Garand

FacebookTwitterSubscribe

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard.

Both vulnerabilities are related to the advads-last-edited-group property, which should normally be a number.

As the argument in this property was not sanitized, a malicious payload can be injected into websites using vulnerable versions of this plugin, causing up to two reflected XSS on the page.

$last_edited_group_id = 0;
if ( isset( $_REQUEST['advads-last-edited-group'] ) ) {
        $last_edited_group_id = $_REQUEST['advads-last-edited-group'];
        ?>
        <script>
                var body = document.getElementsByTagName("body")[0];
                body.addEventListener("load", function(){
                        jQuery('#advads-ad-group-<?php echo $last_edited_group_id; ?>').get(0).scrollIntoView(false);
                }, true);
        </script>
        <?php
}// ...
<div id="advads-ad-group-list">
        <form action="" method="post" id="advads-form-groups">
                <?php wp_nonce_field( 'update-advads-groups', 'advads-group-update-nonce' ); ?>
                <table class="wp-list-table widefat fixed adgroups">
                        <?php $ad_groups_list->render_header(); ?>
                        <?php $ad_groups_list->render_rows(); ?>
                </table>
<input type="hidden" name="advads-last-edited-group" id="advads-last-edited-group" value="<?php echo $last_edited_group_id; ?>"/>
                <div class="tablenav bottom">
                        <?php submit_button( __( 'Update Groups', 'advanced-ads' ) ); ?>
                </div>
        </form>
</div>

If a website administrator visits an attacker’s specially crafted link, the bad actor may be able to gain access to the compromised environment and obtain access to the account.

Timeline:

  • 2020-03-08: Initial disclosure
  • 2020-03-09: Update provided by the developer
  • 2020-03-09: Version 1.17.4 released

Mitigation Steps:

Websites with Ads Admin versions lower than 1.17.4 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Labs Note, XSS

About Antony Garand

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.