The vulnerability is in WP Banners Lite, a WordPress plugin designed to make it simple for site owners to install and manage ad banners.
“WP Banners Lite is a plugin which allows you to manage banners on your website. You can use as many different types of banners as you wish. Just create desired banner type and implement it into your theme,” the plugin documentation says.
On Monday a security researcher disclosed a vulnerability in the WP Banners Lite and published a proof-of-concept demonstration of an exploit for the flaw. The flaw affects versions 1.29, 1.31 and 1.40 of the plugin. The researcher who discovered and published the vulnerability said he had sent the information to the developer of WP Banners Lite but hadn’t received a response.
“The problem is wpbanners_show.php, at lines 8 and 9, the developer doesn’t filter correctly the variable called “cid” obtained from URL (Method GET). He obtains “cid” from URL, do a str_replace to remove ‘ and then he print it,” the advisory says.