A critical vulnerability was discovered in Ad Inserter, a popular Ad management WordPress plugin. This vulnerability allows an authenticated user as low as a subscriber to execute code on the affected website. It’s important that users of the plugin update immediately.

This is a screenshot of the WordPress dashboard. In the top left hand corner is a link that allows you to update your plugins.

There are actually two vulnerabilities – Authenticated Path Traversal Exploit and Authenticated Remote Code Execution

The Authenticated Path Traversal Exploit exists in Ad Inserter version 2.4.19 and under.

This exploit lets an attacker access areas of a site by adding variables to the URL, variables like ../. This gives an attacker the ability to “traverse” to an area that may allow them to execute code or see private information.

According to Common Weakness Enumeration (CWE) web page about traversal exploits,  on a website that is maintained by the U.S. Department of Homeland Security, this is how a path traversal exploit works:

“The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.”

With the Authenticated Remote Code Execution, it is labeled as critical. The vulnerability was discovered on Friday July 12th by the WordFence team and swiftly fixed by Ad Inserter the following day, on Saturday July 13, 2019.

This vulnerability allows users who are registered with the site, who have permissions as low as a subscriber to be able to execute arbitrary code on a Word Press Installation.

The RCE exploit affects Ad Inserter version 2.4.21 and under.

According to the WordFence website:

“On Friday, July 12th, our Threat Intelligence team discovered a vulnerability present in Ad Inserter, a WordPress plugin installed on over 200,000 websites. The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin.

We privately disclosed the issue to the plugin’s developer, who released a patch the very next day.

This is considered a critical security issue…”

Most plugins and software may contain a vulnerability. The important thing is how fast developers respond to them, as well as how transparent they are with users.

The Ad Inserter team alerted their users to the vulnerability through the changelog that is visible on every user’s update page.  The tea acted swiftly and ethically.

All users of the Ad Inserter WordPress plugin are urged to log in to their WordPress installation and update their Ad Inserter plugin.

Read the WordFence announcement here.

SourceRoger Montti