CVE-2024-3952

Vulnerability

The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.52.1. The flaw exists in the Advanced Ad widget due to insufficient input sanitization and output escaping on user-supplied attributes. The vulnerable code resides in the Gutenberg block render callback in modules/gutenberg/includes/class-gutenberg.php [2].

Exploitation

An attacker must have at least contributor-level access to the WordPress site. The attacker can inject arbitrary web scripts through the widget attributes. When a user accesses a page containing the injected ad widget, the script executes in the context of the victim's browser. No additional user interaction beyond viewing the page is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who views the compromised page. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication cookies. The attack is persistent (stored) meaning the malicious payload remains on the page across visits.

Mitigation

The vendor has released version 2.0.21 which addresses this vulnerability [1]. Users should update to version 2.0.21 or later immediately. There is no known workaround for versions prior to the fix, and the plugin must be updated to eliminate the XSS risk.