Advertising Plugin for WordPress Threatens Full Site Takeovers

adning wordpress plugin security bug

Thousands of vulnerable websites need to apply the patch to avoid RCE.

The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.

The plugin’s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.

The bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to an analysis from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.

The flaw exists in the Adning plugin’s ability to allow users to upload banner images, researchers said.

“In order to provide this functionality, it used an AJAX action, _ning_upload_image,” according to the researchers. “Unfortunately, this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.”

This function also allowed the user to supply the “allowed” file types – which means that an unauthenticated attacker could upload malicious code by sending a POST request to wp-admin/admin-ajax.php.

This could be performed “with the action parameter set to _ning_upload_image the allowed_file_types set to php and a files parameter containing a malicious PHP file,” researchers said. “Alternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.”

A Second Bug

Wordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.

Carrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.

“In order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook,” according to the analysis. “As with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.”

Also, according to Wordfence, if an attacker were able to delete the specific file wp-config.php, the site would be reset, offering attackers an opportunity to set it up again. They could use their own remote databases under their control, effectively replacing the site’s content with their own content.

“This might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist,” according to Wordfence. “However, since the previously mentioned arbitrary file-upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.”

WordPress Plugins: A Weak Link

WordPress plugins continue to crop up with concerning vulnerabilities that put sites at risk. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.

Meanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace. Also that month, a pair of security vulnerabilities (one of them critical), in the WordPress search engine optimization (SEO) plugin known as Rank Math, were found. They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.

In March, another critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.

Also in March, two vulnerabilities – including a high-severity flaw – were patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.

And in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) was disclosed. The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles