In late June, 2020 the Adning Advertising plugin was discovered to contain 2 vulnerabilities, one of which critical with a CVSS (Common Vulnerability Scoring System) score of 10. The Adning plugin is a premium plugin with more than 8,000 customers.
Wordfence researchers analyzed the security flaws, and privately disclosed them to their author, Tunafish. The good news is that a patched version of the plugin was released in less than 24 hours. All users of the plugin should upgrade their versions to Adning Advertising version 1.5.6 as soon as possible.
Adning Advertising Plugin Vulnerabilities: What You Should Know
Wordfence researchers were able to determine that the vulnerabilities were exploited in the wild in very limited attacks.
The first vulnerability which received a CVSS score of 10 is described as “Unauthenticated Arbitrary File Upload leading to Remote Code Execution.” Versions earlier than 1.5.6 are affected, so users should update to the latest one immediately.
According to the security report, this vulnerability is associated with the plugin’s functionality to upload banner images. In order to provide this functionality, the plugin utilized an AJAX action, _ning_upload_image. The issue stems from the fact this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could leverage it, even if they were not logged in, Wordfence said.
Also Read Be Warned: There’s A Surge in XSS Attacks against WordPress Sites
The second vulnerability, described as “Unauthenticated Arbitrary File Deletion via path traversal” has a CVSS score of 8.7. This flaw also could be triggered by an ajax action _ning_remove_image, which also utilized a nopriv_ hook. An unauthenticated attacker could be capable of deleting arbitrary files using path traversal.
In addition, if attackers were able to delete wp-config.php, the affected WordPress site would be reset. Then, the attackers could set it up again and point it to a remote database under their control, replacing the site’s content with their own.
More technical details of how the vulnerabilities could be exploited are available in the official report.