Pierluigi Paganini July 15, 2019

A critical vulnerability affecting the Ad Inserter WordPress plugin could be exploited by authenticated attackers to remotely execute PHP code.

Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.

Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google AdSense, Google Ad Manager(DFP – DoubleClick for publishers), contextual Amazon Native Shopping Ads, Media.net and rotating banners.

The Ad Inserter WordPress plugin is currently installed on over 200,000 websites. 

The security flaw resides in the authorization process implemented in the check_admin_referer() function that was designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces.

“The function check_admin_referer() is intended to protect against cross-site request forgery (CSRF) attacks by ensuring that a nonce (a one-time token used to prevent unwanted repeated, expired, or malicious requests from being processed) is present in the request.” reads the post published by Wordfence.

“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”

Experts pointed out that nonce should never be relied on for authentication or authorization, access control.

“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.

Authenticated attackers can bypass authorization checks implemented by the check_admin_referer() function to access the debug mode provided by the Ad Inserter plugin for admins.

The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”

“Normally, these debugging features are only available to administrators, and when certain options are enabled a block of Javascript is included on nearly every page. That Javascript contains a valid nonce for the ai_ajax_backend action,” continues Wordfence.

The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.

The flaw affects all WordPress websites that uses the Ad Inserter plugin version 2.4.21 or previous ones. The developer revealed the 2.4.22 version on July 13 that address the authenticated RCE flaw.

Below the disclosure timeline:

July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users

Pierluigi Paganini

(SecurityAffairs – Ad Installer, WordPress plugin)

[adrotate banner=”5″]

[adrotate banner=”13″]