Ad inserter is a popular plugin for WordPress users. With this plugin, site administrators can easily manage ads on their websites.
Update Ad inserter
If you are using Ad inserter on your website, update the plugin to the latest version now. You can continue reading this post after the update. 🙂
On July 12, Wordfence team(Another popular security plugin for WordPress), discovered a vulnerability called RCE — Remote Code Execution in Ad inserter. This vulnerability can allow an attacker to run any arbitrary PHP code on the site.
The vulnerability was found in Ad preview module of the plugin where you can preview the ads position, size, etc. before publishing it. This action can only be executed by the WordPress administrators and to ensure this, the plugin writer used WordPress function ‘check_admin_referer()‘ which ensures that the action is being performed by the administrator.
Wordfence threat intelligence team who discovered this vulnerability said the ‘check_admin_referer()‘ function is not enough protection. check_admin_referer() is designed to protect against CSRF (Cross-site request forgery) and the way it ensures this is by checking if nonce (a one-time token) exists in the request.
In simple words, check_admin_referer() checks for a kind of OTP is in the request, if it finds the OTP, then it assumes that action is being executed by the admin. But this works only when OTP is provided to admin.
The vulnerability discovered in Ad inserter version 2.4.21 and below. So if you are using Ad inserter, make sure it’s up-to-date. If you are using Wordfence premium, you’re already protected (still update the plugin). If you are a Wordfence free user, you’ll receive the patch for this vulnerability after 30 days i.e. August 11.
You can read more about this vulnerability on Wordfence vulnerability exposure post.