Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.
Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google
The Ad Inserter WordPress plugin is currently installed on over 200,000 websites.
The security flaw resides in the authorization process implemented in the check_admin_referer
“The function check_admin_referer
“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”
Experts pointed out that nonce should never be relied on for authentication or authorization, access control.
“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.
Authenticated attackers can bypass authorization checks implemented by the check_admin_referer
The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”
The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.
The flaw affects all WordPress websites that
Below the disclosure timeline:
July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users
(SecurityAffairs – Ad Installer, WordPress plugin)