Vulnerability Management

Critical WordPress plugin flaw leaves 200,000 sites at risk


A critical security flaw in a WordPress plugin allows threat actors to remotely execute PHP code. 

The vulnerability is found in the Ad Inserter plugin, a plugin that is currently installed in more than 200,000 sites, and stems from the use of the check_admin_referer() for authorization.

Ad Inserter is an ad management plugin with many advanced advertising features to insert ads at optimal positions and it comes with support for all kinds of ads including Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, and rotating banners, according to Bleeping Computer

 The feature was specifically designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces or one-time tokens used for blocking expired and repeated requests before the practice was discouraged by WordPress.

The flaw affects all WordPress websites where the Ad Inserter plugin version 2.4.21 or below is installed and those affected are encouraged to update immediately. 

“In addition to obviously patching the plugin, we recommend WordPress administrators enforce a requirement for Multi-Factor Authentication (MFA) or adaptive authentication for all WordPress users, including both admins and subscribers,” Silverfort Chief Technology Officer Yaron Kassner told SC Media. “This would prevent attackers from authenticating to WordPress, even if they have credentials, and therefore protect the organization from attacks where an attacker hijacks a low-privileged account, and uses vulnerabilities such as this to elevate privileges and execute code.

Kassner added that MFA can be enforced by using a WordPress SSO or an MFA plugin.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.