Ad inserter is a popular plugin for WordPress users. With this plugin, site administrators can easily manage ads on their websites.

On July 12, Wordfence team(Another popular security plugin for WordPress), discovered a vulnerability called RCE — Remote Code Execution in Ad inserter. This vulnerability can allow an attacker to run any arbitrary PHP code on the site.

The vulnerability was found in Ad preview module of the plugin where you can preview the ads position, size, etc. before publishing it. This action can only be executed by the WordPress administrators and to ensure this, the plugin writer used WordPress function ‘check_admin_referer()‘ which ensures that the action is being performed by the administrator.

Wordfence threat intelligence team who discovered this vulnerability said the ‘check_admin_referer()‘ function is not enough protection. check_admin_referer() is designed to protect against CSRF (Cross-site request forgery) and the way it ensures this is by checking if nonce (a one-time token) exists in the request.

In simple words, check_admin_referer() checks for a kind of OTP is in the request, if it finds the OTP, then it assumes that action is being executed by the admin. But this works only when OTP is provided to admin.

In further research, Wordfence team found that the plugin with some specific debugging features enabled included a block of Javascript on every page of the website that contained a valid nonce or token. With this nonce, the plugin’s preview feature can be triggered with user role as low as a subscriber. An attacker can execute any arbitrary PHP code to gain sensitive data from the server such as stored cookies, password, etc.


The vulnerability discovered in Ad inserter version 2.4.21 and below. So if you are using Ad inserter, make sure it’s up-to-date. If you are using Wordfence premium, you’re already protected (still update the plugin). If you are a Wordfence free user, you’ll receive the patch for this vulnerability after 30 days i.e. August 11.