WordPress Plugin Vulnerabilities

Ad Inserter <= 2.4.19 - Authenticated Path Traversal

Description

Edit (WPScanTeam):

Even though the original advisory mentions that it only affect accounts with the administrator privilege, subscriber accounts and above can exploit the issue, as the nonce can be retrieved when submitting a request with a specific cookie, as described at https://www.wordfence.com/blog/2019/07/critical-vulnerability-patched-in-ad-inserter-plugin/

Affects Plugins

Plugin icon
ad-inserter
Fixed in 2.4.20

References

CVE
CVE-2019-15323
URL
https://www.synacktiv.com/ressources/advisories/WordPress_ad_inserter.pdf

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Wilfried Becard (Synacktiv.com)
Verified
Yes
WPVDB ID
8ab17d1a-4587-4fbd-a186-f517aa2a20b1

Timeline

Publicly Published
2019-07-12 (about 4 years ago)
Added
2019-07-12 (about 4 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2021-01-15
Title
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
Published
2023-03-27
Title
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
Published
2022-10-28
Title
Ultimate Member < 2.5.1 - Subscriber+ RCE
Published
2021-07-29
Title
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Published
2021-04-27
Title
WP Fastest Cache < 0.9.1.7 - Authenticated Arbitrary File Deletion via Path Traversal