WordPress Plugins Running on Thin Ice. Again.

Several vulnerable WordPress websites are required to patch a vulnerable plugin to avoid Remote Code Execution (RCE).

What’s going on?

The Adning Advertising plugin for WordPress was found to contain a critical RCE vulnerability that can be exploited by unauthenticated actors. This is a premium plugin with over 8,000 customers. The vulnerability lies in the plugin’s functionality to permit users to upload banner images.

WordPress Plugins - the weakest links

WordPress plugins are always riddled with some or the other vulnerabilities, putting sites at risk.
  • Earlier May, the Page Builder plugin by SiteOrigin was spotted containing two vulnerabilities that could allow a full site takeover.
  • In April, a CSRF vulnerability in Real-Time Find and Replace plugin was found to allow the injection of malicious JavaScript anywhere on a victim’s website.
  • In March, the Duplicator plugin was found to have an unauthenticated arbitrary file download vulnerability that was being exploited in the wild.

Another bug in Adning?

  • A second vulnerability was spotted by researchers that allowed the unauthenticated arbitrary deletion of files via path traversal.
  • Unlike the first bug, this vulnerability has been issued a high-severity CVSS score of 8.7.
  • Moreover, by exploiting this vulnerability, attackers can reset an entire site using their own databases.

The takeaway

WordPress plugins have been making the news due to all the wrong reasons and the vulnerabilities contained in them can have serious consequences. However, the Adning Advertising vulnerability has been patched in version 1.5.6 and site owners are advised to update their plugin to the latest version.