Ad Inserter, a WordPress plugin, allows remote code execution

Experts in vulnerability testing discovered a critical flaw in Ad Inserter, a plugin for advertising management on WordPress sites. If exploited, this flaw would allow any low-privileged user to execute code on the compromised web server.

After the presence of this flaw was verified,
multiple members of the cybersecurity community recommended that system
administrators using this plugin update to the latest version as soon as

Actually, the report describes two vulnerabilities.
The first of these flaws was defined by specialists as an “authenticated
path exploit” present in Ad Inserter versions 2.4.19 and earlier. This
flaw allows hackers to access specific sectors on a website by making some
minimal URL modifications, granting them access to sensitive information or the
ability to execute code.

The second flaw, found by vulnerability testing
experts at the security firm WordFence, is a critical error that plugin
developers had to fix immediately after receiving the security alert. This is an
authenticated remote
code execution
; when exploited, it allows a user with minimal
privileges (including WordPress sites’ subscribers) to execute arbitrary code
in any implementation of this content management system. This bug affects
versions 2.4.21 and earlier of the plugin.

Vulnerability testing experts mention that it
is very common to find such errors in a WordPress plugin, although sometimes
companies do not act according to the seriousness of these incidents; in this
case, the developers of Ad Inserter acted effectively in receiving bug reports,
recognizing those responsible for reporting the flaws and correcting them as
soon as possible.

In addition to acknowledging security flaws, Ad
Inserter alerted all its users on the situation, a basic security measure in
the vulnerability addressing and risk mitigation process, mentioned specialists
from the International Institute of Cyber Security (IICS).

It is important that all WordPress implementation
admins using this plugin install its latest version to stay safe from the
exploitation of these flaws.

To Top

Pin It on Pinterest

Share This