A critical security issue found in the Ad Inserter WordPress plugin currently installed on over 200,000 websites allows authenticated attackers to remotely execute PHP code.
Ad Inserter is an “ad management plugin with many advanced advertising features to insert ads at optimal positions” and it comes with support for “all kinds of ads including Google AdSense, Google Ad Manager (DFP – DoubleClick for publishers), contextual Amazon Native Shopping Ads, Media.net and rotating banners.”
Misuse of CSRF protection function
The vulnerability stems from the use of the check_admin_referer() for authorization, when it was specifically designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces — one-time tokens used for blocking expired and repeated requests.
This practice is discouraged by the WordPress official documentation website which says that “Nonces should never be relied on for authentication or authorization, access control.”
The vulnerability is considered critical and affects all WordPress websites where the Ad Inserter plugin version 2.4.21 or below is installed.
To patch this issue, WordPress admins should update it to version 2.4.22 which was released by the plugin developer within a day after being notified of the security flaw.
“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” according to the Wordfence researchers who discovered the Ad Inserter plugin critical bug.
Abusing the Ad Inserter plugin
However, once the attacker has one nonce at his disposal, he can immediately trigger the debugging feature and, even more dangerous, “exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.”
The plug-ins developer published the 2.4.22 patch on July 13 with a fix for the authenticated remote code execution vulnerability after being notified of the security flaw on July 12. As shown on Ad Inserter plugin’s Wordpress marketplace entry, out of an install base of over 200,000 websites, only just over 50,000 have installed it until this story was published.