In late June 2020, researchers discovered two vulnerabilities in the Adning Advertising plugin. One of them was critical, with a CVSS (Common Vulnerability Scoring System) score of 10. The Adning plugin is a premium plugin with more than 8,000 customers. It is an advertising manager for WordPress sites. The solution helps site owners manage their ads.
Wordfence researchers discovered an alarming weakness in the advertising utility. They analyzed the security flaws and disclosed them to their author, Tunafish.
The good news is that Tunafish released a patched version of the plugin in less than 24 hours. All users should upgrade their versions to Adning Advertising version 1.5.6 as soon as possible. This version fixes the weaknesses.
Adning Advertising Plugin Vulnerabilities: What You Should Know
Wordfence researchers determined that attackers exploited the vulnerabilities in limited attacks.
The first vulnerability received a CVSS score of 10. It can cause an unauthenticated arbitrarary file upload and remote code execution attacks. The bug affects versions earlier than 1.5.6. Users should update to the latest version immediately.
The weakness stems from the plugin’s functionality to upload banner images. To provide this functionality, the plugin utilized an AJAX action, _ning_upload_image. The issue originates from the AJAX action, which was available with a nopriv_ hook. This means that any visitor to the site could leverage it, even if they were not logged in, Wordfence said.
The second vulnerability got a score of 8.7. It can cause Unauthenticated Arbitrary File Deletion via path traversal. An ajax action _ning_remove_image could trigger the bug. An unauthenticated attacker could be capable of deleting arbitrary files using path traversal.
Furthermore, if attackers deleted wp-config.php, they would reset the affected WordPress site. Then, the attackers could set it up again and point it to a remote database under their control. Finally, they would replace the site’s content with their own. More technical details are available in the official report.
This is not the first case of a vulnerable plugin. If you want to stay informed about the latest WordPress security news, follow HowToHosting.Guide.