Vulnerability Patched in Ad Inserter Plugin for WordPress

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.


About Ad Inserter

Ad Inserter is intended to place advertisements on your WordPress website. The plugin, which has more than 200,000 users, offers support for various types of advertisements, such as Google AdSense, Google Ad Manager, Amazon Native Shopping advertisements, as well as rotating banners.

Vulnerabilities in Ad Inserter plugin

The first vulnerability is a so-called Authenticated Path Traversal Exploit. By adding variables to the URL, such as ../, hackers could gain access to protected parts of the website. This way a hacker can, as it were, walk through the website structure until he arrives at a point where he can damage.

The second vulnerability is an Authenticated Remote Code Execution (RCE). This allowed any user registered on the website, even if only as a subscriber, to execute arbitrary code on the WordPress installation.


Immediate action

It is possible for any plugin to contain a vulnerability. The speed developers respond to these potential problems shows how transparent they are about them and that is what is important. The Ad Inserter team acted very well in this regard. The vulnerabilities were discovered on Friday, July 12 by the WordFence team, who immediately informed the developer of the Ad Inserter plugin. By the next day an update was available that fixed the vulnerabilities.

Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.