The popular Ad management plugin named Ad Inserter is the latest WordPress asset to be found vulnerable to a serious security issue. An authenticated user of the plugin can easily execute PHP code on the vulnerable websites.
Ad Inserter is currently active on more than 200K websites, leaving a massive number of WordPress websites open to cyberattacks.
Website owners use this plugin to insert ads at optimal positions. It supports Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, Media.net and rotating banners.
According to Wordfence researchers who discovered the vulnerability, the Ad Inserter is using check_admin_referer () function to bring an additional security control to the plugin.
The role of this function is to protect against cross-site request forgery (CSRF) attacks. The function checks that a one-time token (nonce) is present in the request to prevent unwanted repeated, expired or malicious requests.
However, many developers believe that checking this one-time token is enough for access control, and stop their efforts here. But, the WordPress documentation clearly mentions that this function is not intended for access control.
The vulnerability in Ad Inserter is a good example for developers to understand that using this function for authorization is not a good idea.
Wordfence mentioned that the weakness could allow an authenticated user (even the subscriber) to execute arbitrary PHP code on the vulnerable sites. The Wordfence disclosed the issue to the developers of Ad Inserter who released the fix the very next day.
All the websites running Ad Inserter 2.4.21 or below must update the plugin to the latest version (v2.4.22).