Ad Inserter, a plugin for managing and optimally placing ads on WordPress web pages, has until recently had a vulnerability that would allow authenticated attackers to remotely execute arbitrary code. The developer team of the security plugin WordFence has discovered the vulnerability and released a security notice. Accordingly, it affects all ad-inserter versions up to and including 2.4.21. Wordfence classifies the vulnerability as critical. Attackers who held at least the WordPress user role Subscriber could, according to Wordfence, bypass (insufficient) control mechanisms to get into the debug mode of the plugin. From there it was possible to execute any PHP code via the “preview” function for the advertisements, in order to have access data for the WordPress installation, for example.
The vulnerable plugin developers released a secured version within 24 hours of being informed. WordFence advises users to switch to Ad Inserter 2.4.22 in a timely manner.