News

Vulnerability in the plugin for WordPress allowed to execute PHP-code remotely

Information security specialists from Wordfence have found the vulnerability of the Ad Inserter plugin for WordPress installed on more than 200,000 websites. The bug allows attackers remotely execute PHP code on the site.

The vulnerability affects all WordPress websites with installed Ad Inserter 2.4.21 or lower.

“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin”, — reported information security experts from Wordfence that discovered the vulnerability.

Ad Inserter — plug-in for managing ads with advanced features for placing ads in optimal positions. It supports all types of advertising, including Google AdSense, Google Ad Manager (DFP – DoubleClick for Publishers), contextual Amazon Native Shopping Ads, Media.net, and changing banners.

According to Wordfence researchers, the vulnerability is related to use of check_admin_referer () function for authorization, which is intended to protect WordPress sites from CSRF attacks. This function checks presence of one-time codes in the request (a one-time token used to prevent the processing of unwanted repeated, expired or malicious requests).

The practice is designed to ensure that users with proper rights can only access the one-time code. However, WordPress developers received caution against using one-time codes and point out in official documentation that “you should never rely on one-time codes for authentication, authorization or access control.

Having one-time code available, authenticated attackers can bypass the authorization check and gain access to the debug mode provided by the Ad Inserter plugin.

Typically, these debugging features are available only to administrators, explain researchers. In case of activating some settings, almost every page includes JavaScript code that contains a valid one-time code for the ai_ajax_backend action. Once an attacker receives a one-time code, he can activate debugging and exploit the ad preview function by sending a malicious payload with arbitrary PHP code.

Ad Inserter developers have already released a revised version of the plugin.

“This is considered a critical security issue, and websites running Ad Inserter 2.4.21 or below should be updated to version 2.4.22 right away”, — recommend Wordfence specialists to WordPress administrators.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-xbuhoxu.store Pop-up Ads

About News-xbuhoxu.store News-xbuhoxu.store pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove News-xbadeyo.today Pop-up Ads

About News-xbadeyo.today News-xbadeyo.today pop-ups can not introduce out of nowhere. If you have clicked on…

5 hours ago

Remove News-bbutohu.info Pop-up Ads

About News-bbutohu.info News-bbutohu.info pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove News-bbucoxe.today Pop-up Ads

About News-bbucoxe.today News-bbucoxe.today pop-ups can not launch out of the blue. If you have clicked…

5 hours ago

Remove News-xdetake.cc Pop-up Ads

About News-xdetake.cc News-xdetake.cc pop-ups can not expose out of nowhere. If you have clicked on…

8 hours ago

Remove News-bbufiya.today Pop-up Ads

About News-bbufiya.today News-bbufiya.today pop-ups can not expose out of nowhere. If you have clicked some…

8 hours ago