A critical security issue in the WordPress Ad Inserter plugin currently installed on over 200,000 sites allows authenticated attackers to execute PHP code remotely.
Ad Inserter is an’ ad-management plugin with many advanced advertising features for inserting ads in the best possible position’ and is supported by the’ all kinds of advertising, including Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, Media.net and rotational Banners.’
The WordPress official documentation website discourages this practice by stating that “Nonces should not be relied on for authentication or authorisation, access control.” The vulnerability is critical and concerns all Websites where Ad Inserter plug-ins are installed in version 2.4.21 or below.
To patch this issue, it should be updated by WordPress admins to version 2.4.22 released by the plugin developer within one day of the security flaw being notified.
According to the Wordfence researcher who discovered a critical Ad Inserter bug
“The weakness enabled authenticated users (subscribers and above) to execute arbitrary PHP code on websites using the plugin.”
Abuse the Authenticated attacker plugin Ad Inserter that gets its hands on a nonce can circumvent permission checks running the check admin referer) (function to access the debug mode that the Ad Inserter plugin provides.
Once the attacker has a nonce available, he can immediately trigger the Debug feature and, even more dangerous, “exploit its ad preview feature by sending a malicious payload that contains arbitrary PHP code.” On 13 July, the plugins developer released a patch 2.4.22 which fixed the vulnerability of authenticated remote code execution after he was notified about the security fl.
As shown in the WordPress marketplace entry of Ad Inserter plugin, only just over 50,000 installed it from an install base of over 200,000 websites until this story was published.