Content.ad - Reflected cross-site scripting (XSS)
Summary
| Name | Content.ad 1.3. - Reflected cross-site scripting (XSS) |
| Code name | skims-0007 |
| Product | Content.ad |
| Affected versions | Version 1.3. |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31292 |
Description
Content.ad 1.3. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/includes/post-type.class.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Content.ad 1.3.. The following is the output of the tool:
Skims output
234 | function save_post( $post_id ) {
235 | if ( 'content_ad_widget' == get_post_type( $post_id ) ) {
236 | if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
237 | return $post_id;
238 | }
239 | if( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
240 | contentAd_append_to_log( 'AJAX ""QUICK EDIT"" SAVE' );
241 | if( isset( $_POST['action'] ) && isset( $_POST['screen'] ) && 'inline-save' == $_POST['action'] && 'edit-content_ad_
242 |
243 | // If Template Tag or Shortcode placements are selected, then all other placement options are reset since they may
244 | if( isset( $_POST['placement'] ) && ( $_POST['placement'] == 'in_function' || $_POST['placement'] == 'in_shortcode'
245 | $_POST['_ca_display_home'] = 1;
246 | $_POST['_ca_display_cat_tag'] = 1;
247 | unset($_POST['post_category']); $_POST['post_category'] = array();
248 | unset($_POST['post_tag']); $_POST['post_tag'] = array();
249 |
250 | }
251 |
252 | if ( isset( $_POST['_ca_display_home'] ) ) {
253 | contentAd_append_to_log( ' UPDATING _ca_display_home FOR POST ('.$post_id.') TO: ' . $_POST['_ca_display_home']
254 | update_post_meta( $post_id, '_ca_display_home', strip_tags( $_POST['_ca_display_home'] ) );
255 | } else {
256 | contentAd_append_to_log( ' UPDATING _ca_display_home FOR POST ('.$post_id.') TO: 0' );
257 | delete_post_meta( $post_id, '_ca_display_home' );
258 | }
259 |
260 | if ( isset( $_POST['_ca_display_cat_tag'] ) ) {
261 | contentAd_append_to_log( ' UPDATING _ca_display_cat_tag PLACEMENT FOR POST ('.$post_id.') TO: ' . $_POST['_ca_d
262 | update_post_meta( $post_id, '_ca_display_cat_tag', strip_tags( $_POST['_ca_display_cat_tag'] ) );
263 | } else {
264 | contentAd_append_to_log( ' UPDATING _ca_display_cat_tag FOR POST ('.$post_id.') TO: 0' );
265 | delete_post_meta( $post_id, '_ca_display_cat_tag' );
266 | }
267 |
268 | if ( isset( $_POST['placement'] ) ) {
269 | contentAd_append_to_log( ' UPDATING PLACEMENT FOR POST ('.$post_id.') TO: ' . $_POST['placement'] );
270 | update_post_meta( $post_id, 'placement', strip_tags( $_POST['placement'] ) );
271 | }
272 |
273 | if( isset( $_POST['post_category'] ) && is_array( $_POST['post_category'] ) ) {
274 | foreach( $_POST['post_category'] as $key => $cat_id ) {
275 | if( empty( $cat_id ) ) {
276 | unset( $_POST['post_category'][$key] );
277 | } else {
278 | $_POST['post_category'][$key] = (int) $cat_id;
279 | }
280 | }
281 | contentAd_append_to_log( ' UPDATING EXCLUSION CATEGORIES FOR POST ('.$post_id.') TO: ' . join(', ', $_POST['pos
282 | update_post_meta( $post_id, '_excluded_categories', $_POST['post_category'] );
283 | }
284 |
> 285 | echo $_POST['post_tag'];
286 |
287 | if( isset( $_POST['post_tag'] ) ) {
288 | $tags = explode(',', preg_replace( '/, /', ',', strip_tags( implode("" "", $_POST['post_tag']) ) ));
289 | $terms = array();
290 | $terms = array_unique($terms);
291 | foreach( $tags as $tag ) {
292 | $term = get_term_by( 'name', $tag, 'post_tag' );
293 | if( $term ) {
294 | $terms[] = $term->name;
295 | } else {
296 | wp_insert_term( $tag, 'post_tag' );
297 | contentAd_append_to_log( ' ADDING NEW EXCLUSION TAGS: ' . join( ', ', $return ) );
298 | $terms[] = $tag;
299 | $new_terms[] = $tag;
300 | }
301 | }
302 | if($new_terms) {
303 | contentAd_append_to_log( ' ADDING NEW EXCLUSION TAGS: ' . join( ', ', $new_terms ) );
304 | }
305 | contentAd_append_to_log( ' UPDATING EXCLUSION TAGS FOR POST ('.$post_id.') TO: ' . join( ', ', $terms ) );
306 | update_post_meta( $post_id, '_excluded_tags', join( ', ', $terms ) );
307 | }
308 | }
309 | }
310 | }
311 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31292 to refer to this issue from now on.
System Information
- Product: Content.ad
- Version: 1.3.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
