CVE-2022-0661

Name of the Vulnerable Software and Affected Versions Ad Injection WordPress plugin versions 1.2.0.19 and earlier

Description The issue allows a high privileged user to inject arbitrary HTML or javascript into the pages, leading to a stored cross-site scripting (XSS) vulnerability. It is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW FILE EDIT and DISALLOW FILE MOD constants are both set.

Recommendations For Ad Injection WordPress plugin versions 1.2.0.19 and earlier, update to a version later than 1.2.0.19 to resolve the issue. As a temporary workaround, consider restricting the unfiltered html capability to prevent high privileged users from injecting arbitrary HTML or javascript. Restrict access to the plugin's advert injection functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.