CVE-2022-0661
Published: 18 April 2022
Summary
CVE-2022-0661 is a high-severity Code Injection (CWE-94) vulnerability in Ad Injection Project Ad Injection. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ad Injection WordPress plugin through version 1.2.0.19 contains an input sanitization flaw in the body content of injected adverts. This permits a high-privileged user to supply arbitrary HTML, JavaScript, or PHP even when the unfiltered_html capability is disabled and the DISALLOW_FILE_EDIT or DISALLOW_FILE_MOD constants are set, resulting in stored cross-site scripting and remote code execution.
An authenticated administrator can therefore upload and persist malicious advert payloads that execute in the context of other site visitors or directly on the server, achieving full control over page content and, via injected PHP, arbitrary command execution.
The referenced WPScan advisory documents the issue but provides no additional mitigation details beyond the version range and privilege requirements. The associated EPSS score has remained flat at 0.1183 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15753
Vulnerability details
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored…
more
cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.