Advanced Ads Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget – CVE-2024-3952 | WordPress Plugin Vulnerability Report
Plugin Name: Advanced Ads
Key Information:
- Software Type: Plugin
- Software Slug: advanced-ads
- Software Status: Active
- Software Author: monetizemore
- Software Downloads: 9,195,831
- Active Installs: 100,000
- Last Updated: May 7, 2024
- Patched Versions: 1.52.2
- Affected Versions: <= 1.52.1
Vulnerability Details:
- Name: Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-3952
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 7, 2024
- Researcher: wesley (wcraft)
- Description: The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Advanced Ads plugin for WordPress has a vulnerability in versions up to and including 1.52.1 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages via the Advanced Ad widget due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability has been patched in version 1.52.2.
Detailed Overview:
The vulnerability was discovered by researcher wesley (wcraft) and publicly disclosed on May 7, 2024. It is identified as CVE-2024-3952 and has a CVSS score of 6.4 (Medium). The vulnerability is located in the Advanced Ad widget and allows attackers to inject malicious scripts that will execute whenever a user accesses an infected page. This could potentially lead to sensitive information disclosure, session hijacking, or other types of attacks.
Advice for Users:
- Immediate Action: Users are strongly advised to update their Advanced Ads plugin to version 1.52.2 or later to address this vulnerability.
- Check for Signs of Vulnerability: Review your website for any suspicious or unauthorized content, particularly in pages containing the Advanced Ad widget.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.52.2 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-ads
Detailed Report:
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.