Adning Advertising WordPress Plugin Contains Critical Vulnerabilities

by   |  Last Update:  |  0 Comments  

On This Page: [hide]

  1. Adning Advertising Plugin Vulnerabilities: What You Should Know

In late June 2020, researchers discovered two vulnerabilities in the Adning Advertising plugin. One of them was critical, with a CVSS (Common Vulnerability Scoring System) score of 10. The Adning plugin is a premium plugin with more than 8,000 customers. It is an advertising manager for WordPress sites. The solution helps site owners manage their ads.

Wordfence researchers discovered an alarming weakness in the advertising utility. They analyzed the security flaws and disclosed them to their author, Tunafish.

The good news is that Tunafish released a patched version of the plugin in less than 24 hours. All users should upgrade their versions to Adning Advertising version 1.5.6 as soon as possible. This version fixes the weaknesses.

Adning Advertising Plugin Vulnerabilities: What You Should Know

Wordfence researchers determined that attackers exploited the vulnerabilities in limited attacks.

The first vulnerability received a CVSS score of 10. It can cause an unauthenticated arbitrarary file upload and remote code execution attacks. The bug affects versions earlier than 1.5.6. Users should update to the latest version immediately.

The weakness stems from the plugin’s functionality to upload banner images. To provide this functionality, the plugin utilized an AJAX action, _ning_upload_image. The issue originates from the AJAX action, which was available with a nopriv_ hook. This means that any visitor to the site could leverage it, even if they were not logged in, Wordfence said.

The second vulnerability got a score of 8.7. It can cause Unauthenticated Arbitrary File Deletion via path traversal. An ajax action _ning_remove_image could trigger the bug. An unauthenticated attacker could be capable of deleting arbitrary files using path traversal.

Furthermore, if attackers deleted wp-config.php, they would reset the affected WordPress site. Then, the attackers could set it up again and point it to a remote database under their control. Finally, they would replace the site’s content with their own. More technical details are available in the official report.

This is not the first case of a vulnerable plugin. If you want to stay informed about the latest WordPress security news, follow HowToHosting.Guide.

Researched and written by:
HowToHosting Editors
HowToHosting.guide provides expertise and insight into the process of creating blogs and websites, finding the right hosting provider, and everything that comes in-between. Read more...

No related posts.

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HowToHosting.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust howtohosting.guide for reliable hosting insights and sincerity.