CVE-2022-0661: 
WordPress vulnerability analysis and mitigation

The Ad Injection WordPress plugin through version 1.2.0.19 contains a security vulnerability identified as CVE-2022-0661. The vulnerability was discovered by researcher Asif Nawaz Minhas and was publicly disclosed on March 22, 2022. This security issue affects the plugin's advertisement injection functionality, specifically impacting the way adverts are processed and displayed in WordPress pages (WPScan).

The vulnerability stems from improper sanitization of advert body content in the plugin. This security flaw allows privileged users (Admin+) to inject arbitrary HTML or JavaScript code, even when the unfilteredhtml capability is disabled. Additionally, the vulnerability enables PHP code injection, which can lead to Remote Code Execution (RCE), even when DISALLOWFILEEDIT and DISALLOWFILE_MOD constants are set. The vulnerability has been assigned a CVSS score of 7.2, indicating a high severity level (WPScan).

The vulnerability can be exploited to perform both stored Cross-Site Scripting (XSS) attacks and Remote Code Execution (RCE). This dual impact makes the vulnerability particularly dangerous as it allows attackers with administrative access to potentially take complete control of the affected WordPress installation (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators running the affected version of the Ad Injection plugin should consider either removing the plugin or implementing strict access controls to administrative functions (WPScan).