Submit #793551: Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalationinfo

TitleEyeo GmbH Adblock Plus 4.36.2 Privilege Escalation
DescriptionA missing origin validation in premium.preload.js allows any JavaScript running in the context of accounts.adblockplus.org to forge a payment_success postMessage event and activate the Premium subscription without payment. The extension background (background.js) further fails to bind the submitted userId to a verified payment session before persisting it and initiating license_check. Tested on v4.36.2, reproducible in ~30 seconds with a single line of JavaScript.
Source⚠️ https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md
User
 DRXYJ (UID 46872)
Submission03/31/2026 11:44 (3 months ago)
Moderation05/02/2026 18:03 (1 month later)
StatusAccepted
VulDB entry360856 [eyeo Adblock Plus up to 4.36.2 on Chrome Legacy Premium Activation premium.preload.js postMessage access control]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!