Ad Inserter, a WordPress plugin, allows remote code execution

Experts in vulnerability testing discovered a critical flaw in Ad Inserter, a plugin for advertising management on WordPress sites. If exploited, this flaw would allow any low-privileged user to execute code on the compromised web server.

After the presence of this flaw was verified, multiple members of the cybersecurity community recommended that system administrators using this plugin update to the latest version as soon as possible.

Actually, the report describes two vulnerabilities. The first of these flaws was defined by specialists as an “authenticated path exploit” present in Ad Inserter versions 2.4.19 and earlier. This flaw allows hackers to access specific sectors on a website by making some minimal URL modifications, granting them access to sensitive information or the ability to execute code.

The second flaw, found by vulnerability testing experts at the security firm WordFence, is a critical error that plugin developers had to fix immediately after receiving the security alert. This is an authenticated remote code execution; when exploited, it allows a user with minimal privileges (including WordPress sites’ subscribers) to execute arbitrary code in any implementation of this content management system. This bug affects versions 2.4.21 and earlier of the plugin.

Vulnerability testing experts mention that it is very common to find such errors in a WordPress plugin, although sometimes companies do not act according to the seriousness of these incidents; in this case, the developers of Ad Inserter acted effectively in receiving bug reports, recognizing those responsible for reporting the flaws and correcting them as soon as possible.

In addition to acknowledging security flaws, Ad Inserter alerted all its users on the situation, a basic security measure in the vulnerability addressing and risk mitigation process, mentioned specialists from the International Institute of Cyber Security (IICS).

It is important that all WordPress implementation admins using this plugin install its latest version to stay safe from the exploitation of these flaws.