A critical security flaw in a WordPress plugin allows threat actors to remotely execute PHP code.
The vulnerability is found in the Ad Inserter plugin, a plugin that is currently installed in more than 200,000 sites, and stems from the use of the check_admin_referer() for authorization.
Ad Inserter is an ad management plugin with many advanced advertising features to insert ads at optimal positions and it comes with support for all kinds of ads including Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, Media.net and rotating banners, according to Bleeping Computer.
The feature was specifically designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces or one-time tokens used for blocking expired and repeated requests before the practice was discouraged by WordPress.
The flaw affects all WordPress websites where the Ad Inserter plugin version 2.4.21 or below is installed and those affected are encouraged to update immediately.
“In addition to obviously patching the plugin, we recommend WordPress administrators enforce a requirement for Multi-Factor Authentication (MFA) or adaptive authentication for all WordPress users, including both admins and subscribers,” Silverfort Chief Technology Officer Yaron Kassner told SC Media. “This would prevent attackers from authenticating to WordPress, even if they have credentials, and therefore protect the organization from attacks where an attacker hijacks a low-privileged account, and uses vulnerabilities such as this to elevate privileges and execute code.
Kassner added that MFA can be enforced by using a WordPress SSO or an MFA plugin.