CVE-2022-0288
published 2022-02-21CVE-2022-0288: The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter…
PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.39%
81.9th percentile
The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ad_inserter_pro_project | ad_inserter_pro | < 2.7.10 | 2.7.10 |
| ad_inserter_project | ad_inserter | < 2.7.10 | 2.7.10 |
| vim | vim | >= 0 < 2:8.0.1453-1ubuntu1.11 | 2:8.0.1453-1ubuntu1.11 |
| vim | vim | >= 0 < 2:8.1.2269-1ubuntu5.12 | 2:8.1.2269-1ubuntu5.12 |
| vim | vim | >= 0 < 2:8.2.3995-1ubuntu2.4 | 2:8.2.3995-1ubuntu2.4 |
| vim | vim | >= 0 < 2:7.4.052-1ubuntu3.1+esm7 | 2:7.4.052-1ubuntu3.1+esm7 |
| vim | vim | >= 0 < 2:7.4.1689-3ubuntu1.5+esm17 | 2:7.4.1689-3ubuntu1.5+esm17 |
Detection & IOCsextracted from sources · hover to see the quote
otherad-inserter
- →Request uses Content-Type application/x-www-form-urlencoded; monitor POST requests to WordPress Ad Inserter plugin endpoints for unsanitised html_element_selection parameter
- →HTTP 200 response with text/html content type containing both the XSS payload and 'ad-inserter' indicates successful reflection
- ·Vulnerability affects Ad Inserter and Ad Inserter Pro WordPress plugins strictly before version 2.7.10; versions 2.7.10 and above are patched ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.8HIGH
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vim vulnerabilities
osv·2023-03-20·CVSS 7.8
CVE-2022-47024 vim vulnerabilities
vim vulnerabilities
It was discovered that Vim was not properly performing memory management
operations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-47024,
CVE-2023-0049, CVE-2023-0054, CVE-2023-0288, CVE-2023-0433)
It was discovered that Vim was not properly performing memory management
operations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue only affected Ubuntu 22.04
LTS, and Ubuntu 22.10. (CVE-2023-0051)
It was discovered that Vim was not properly performing memory management
operations. An attacker could possibly use this issue to cause a denial
of service or e
GHSA
GHSA-f6p6-h7v7-mpgx: The Ad Inserter WordPress plugin before 2
ghsa_unreviewed·2022-02-22
CVE-2022-0288 [MEDIUM] CWE-79 GHSA-f6p6-h7v7-mpgx: The Ad Inserter WordPress plugin before 2
The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
VulnCheck
ad_inserter_pro_project ad_inserter_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2022·CVSS 6.1
CVE-2022-0288 [MEDIUM] ad_inserter_pro_project ad_inserter_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ad_inserter_pro_project ad_inserter_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Affected: ad_inserter_pro_project ad_inserter_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/ad-inserter-pro/vulnerability/wordpress-ad-inserter-pro-premium-plugin-2-7-8-reflected-cross-site-scripting-xss-vulnerability
No detection rules found.
Nuclei
WordPress Ad Inserter <2.7.10 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-0288 [MEDIUM] WordPress Ad Inserter <2.7.10 - Cross-Site Scripting
WordPress Ad Inserter
headers:
Content-Type: "application/x-www-form-urlencoded"
matchers-condition: and
matchers:
- type: word
part: body
words:
- ""
- "ad-inserter"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022050221aa88da95de8a2b62e9d031a0a0072fff4c5100216be5bae416ca23ce541022100af0c1a25729bf0321af7997e3b1c355a6bd66e496113c921cb08e7625527c3c0:922c64590222798bb761d5b6d8e72950
2022-02-21
Published
Exploited in the wild