Advanced Ads Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget – CVE-2024-3952 | WordPress Plugin Vulnerability Report

Plugin Name: Advanced Ads

Key Information:

  • Software Type: Plugin
  • Software Slug: advanced-ads
  • Software Status: Active
  • Software Author: monetizemore
  • Software Downloads: 9,195,831
  • Active Installs: 100,000
  • Last Updated: May 7, 2024
  • Patched Versions: 1.52.2
  • Affected Versions: <= 1.52.1

Vulnerability Details:

  • Name: Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-3952
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 7, 2024
  • Researcher: wesley (wcraft)
  • Description: The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Advanced Ads plugin for WordPress has a vulnerability in versions up to and including 1.52.1 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages via the Advanced Ad widget due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability has been patched in version 1.52.2.

Detailed Overview:

The vulnerability was discovered by researcher wesley (wcraft) and publicly disclosed on May 7, 2024. It is identified as CVE-2024-3952 and has a CVSS score of 6.4 (Medium). The vulnerability is located in the Advanced Ad widget and allows attackers to inject malicious scripts that will execute whenever a user accesses an infected page. This could potentially lead to sensitive information disclosure, session hijacking, or other types of attacks.

Advice for Users:

  1. Immediate Action: Users are strongly advised to update their Advanced Ads plugin to version 1.52.2 or later to address this vulnerability.
  2. Check for Signs of Vulnerability: Review your website for any suspicious or unauthorized content, particularly in pages containing the Advanced Ad widget.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.52.2 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-ads

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-ads/advanced-ads-ad-manager-adsense-1521-authenticated-contributor-stored-cross-site-scripting-via-ad-widget

Detailed Report:

As a website owner, keeping your WordPress site secure should always be a top priority. Today, we want to bring your attention to a critical vulnerability discovered in the Advanced Ads plugin, a popular ad management solution for WordPress. This vulnerability, identified as CVE-2024-3952, affects all versions of the plugin up to and including 1.52.1.

The vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into your website through the Advanced Ad widget. These scripts can execute whenever a user visits an infected page, potentially leading to sensitive information disclosure, session hijacking, or other types of attacks.

About the Advanced Ads Plugin

Advanced Ads is a popular WordPress plugin that helps website owners manage and display advertisements on their sites. With over 100,000 active installations and more than 9 million downloads, it is a widely used solution for monetizing WordPress websites.

Vulnerability Details

The vulnerability, discovered by researcher wesley (wcraft) and publicly disclosed on May 7, 2024, is identified as CVE-2024-3952 and has a CVSS score of 6.4 (Medium). It is caused by insufficient input sanitization and output escaping on user-supplied attributes in the Advanced Ad widget, allowing attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page.

Risks and Potential Impacts

Exploiting this vulnerability, attackers can potentially:

  • Steal sensitive information from your website's users
  • Hijack user sessions and gain unauthorized access to your website
  • Distribute malware to your website's visitors
  • Deface your website or insert malicious content
  • Damage your website's reputation and trust among users

How to Fix the Vulnerability

To protect your website and your users, follow these steps:

  1. Immediately update the Advanced Ads plugin to version 1.52.2 or later, which includes a patch for this vulnerability.
  2. Review your website for any suspicious or unauthorized content, particularly in pages containing the Advanced Ad widget.
  3. Consider using alternative plugins that offer similar functionality as a precaution.
  4. Ensure that all your WordPress plugins, themes, and core installations are always up to date to minimize the risk of vulnerabilities.

Previous Vulnerabilities

It is worth noting that the Advanced Ads plugin has had three previous vulnerabilities reported since March 2020. This highlights the importance of staying vigilant and keeping your plugins updated to the latest secure versions.

The Importance of Staying Updated

As a small business owner, it is understandable that you may not have the time or resources to constantly monitor your website's security. However, the consequences of a compromised website can be severe, including loss of sensitive data, damage to your reputation, and potential legal liabilities.

By keeping your WordPress plugins, themes, and core installation up to date, you can significantly reduce the risk of falling victim to known vulnerabilities. If you find it challenging to stay on top of updates, consider partnering with a reliable WordPress maintenance and security service provider who can handle these tasks for you, giving you peace of mind and allowing you to focus on running your business.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Advanced Ads Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget – CVE-2024-3952 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment