WordPress Plugin Vulnerabilities

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

Description

The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
ad-inserter
Fixed in 2.4.22

References

CVE
CVE-2019-15324
URL
https://www.wordfence.com/blog/2019/07/critical-vulnerability-patched-in-ad-inserter-plugin/
URL
https://plugins.trac.wordpress.org/changeset/2122577/ad-inserter

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Sean Murphy (Wordfence)
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
fbfa36dc-7028-4a31-8a68-4b02da80290c

Timeline

Publicly Published
2019-07-15 (about 6 years ago)
Added
2019-07-15 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-05-17
Title
ArForms < 6.6 - Unauthenticated RCE
Published
2014-08-01
Title
WP-Super-Cache 1.3 - Remote Code Execution
Published
2025-10-08
Title
xSmart <= 1.2.9.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2026-01-21
Title
Beaver Builder < 2.9.4.2 - Contributor+ Remote Code Execution
Published
2024-04-05
Title
Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution