Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.
About Ad Inserter
Ad Inserter is intended to place advertisements on your WordPress website. The plugin, which has more than 200,000 users, offers support for various types of advertisements, such as Google AdSense, Google Ad Manager, Amazon Native Shopping advertisements, Media.net as well as rotating banners.
Vulnerabilities in Ad Inserter plugin
The first vulnerability is a so-called Authenticated Path Traversal Exploit. By adding variables to the URL, such as ../, hackers could gain access to protected parts of the website. This way a hacker can, as it were, walk through the website structure until he arrives at a point where he can damage.
The second vulnerability is an Authenticated Remote Code Execution (RCE). This allowed any user registered on the website, even if only as a subscriber, to execute arbitrary code on the WordPress installation.
Immediate action
It is possible for any plugin to contain a vulnerability. The speed developers respond to these potential problems shows how transparent they are about them and that is what is important. The Ad Inserter team acted very well in this regard. The vulnerabilities were discovered on Friday, July 12 by the WordFence team, who immediately informed the developer of the Ad Inserter plugin. By the next day an update was available that fixed the vulnerabilities.
