Reflected XSS in Advanced Ads Admin Dashboard

Sucuri Labs

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard.

Both vulnerabilities are related to the advads-last-edited-group property, which should normally be a number.

As the argument in this property was not sanitized, a malicious payload can be injected into websites using vulnerable versions of this plugin, causing up to two reflected XSS on the page.

$last_edited_group_id = 0;
if ( isset( $_REQUEST['advads-last-edited-group'] ) ) {
        $last_edited_group_id = $_REQUEST['advads-last-edited-group'];
        ?>
        <script>
                var body = document.getElementsByTagName("body")[0];
                body.addEventListener("load", function(){
                        jQuery('#advads-ad-group-<?php echo $last_edited_group_id; ?>').get(0).scrollIntoView(false);
                }, true);
        </script>
        <?php
}// ...
<div id="advads-ad-group-list">
        <form action="" method="post" id="advads-form-groups">
                <?php wp_nonce_field( 'update-advads-groups', 'advads-group-update-nonce' ); ?>
                <table class="wp-list-table widefat fixed adgroups">
                        <?php $ad_groups_list->render_header(); ?>
                        <?php $ad_groups_list->render_rows(); ?>
                </table>
<input type="hidden" name="advads-last-edited-group" id="advads-last-edited-group" value="<?php echo $last_edited_group_id; ?>"/>
                <div class="tablenav bottom">
                        <?php submit_button( __( 'Update Groups', 'advanced-ads' ) ); ?>
                </div>
        </form>
</div>

If a website administrator visits an attacker’s specially crafted link, the bad actor may be able to gain access to the compromised environment and obtain access to the account.

Timeline:

  • 2020-03-08: Initial disclosure
  • 2020-03-09: Update provided by the developer
  • 2020-03-09: Version 1.17.4 released

Mitigation Steps:

Websites with Ads Admin versions lower than 1.17.4 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.