{"vulnerability": "cve-2022-0661", "sightings": [{"uuid": "5e24505c-becb-4833-a53b-65c3f2a75662", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-0661", "type": "seen", "source": "https://t.me/cibsecurity/41064", "content": "\u203c CVE-2022-0661 \u203c\n\nThe Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-04-18T22:23:51.000000Z"}]}