cvedb.io
CVE-2022-0661
HIGH · CVSS 7.2
EPSS exploitation probability: 0%
Published 2022-04-18T18:15:08.200 · Last modified 2026-06-17T04:21:01.327

Summary

The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.

Affected products

ad_injection_project — ad_injection

Does this affect you?

Add your gear to cvedb and we'll alert you only when ad_injection_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.