Hardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week’s first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject malicious Javascript or HTML code on any vulnerable site.
The vulnerability is in WP Banners Lite, a WordPress plugin designed to make it simple for site owners to install and manage ad banners.
“WP Banners Lite is a plugin which allows you to manage banners on your website. You can use as many different types of banners as you wish. Just create desired banner type and implement it into your theme,” the plugin documentation says.
On Monday a security researcher disclosed a vulnerability in the WP Banners Lite and published a proof-of-concept demonstration of an exploit for the flaw. The flaw affects versions 1.29, 1.31 and 1.40 of the plugin. The researcher who discovered and published the vulnerability said he had sent the information to the developer of WP Banners Lite but hadn’t received a response.
“The problem is wpbanners_show.php, at lines 8 and 9, the developer doesn’t filter correctly the variable called “cid” obtained from URL (Method GET). He obtains “cid” from URL, do a str_replace to remove ‘ and then he print it,” the advisory says.
The researcher, Fernando A. Lagos Berardi, said in the advisory that an attacker could exploit the problem by injecting his own HTML or Javascript. Version 1.40 is the most recent version of the WP Banners Lite plugin listed on the developer’s page on WordPress.org.