Image: Bleepingcomputer The WordPress official documentation website discourages this practice by stating that “Nonces should not be relied on for authentication or authorisation, access control.” The vulnerability is critical and concerns all Websites where Ad Inserter plug-ins are installed in version 2.4.21 or below. To patch this issue, it should be updated by WordPress admins to version 2.4.22 released by the plugin developer within one day of the security flaw being notified. According to the Wordfence researcher who discovered a critical Ad Inserter bug “The weakness enabled authenticated users (subscribers and above) to execute arbitrary PHP code on websites using the plugin.” Abuse the Authenticated attacker plugin Ad Inserter that gets its hands on a nonce can circumvent permission checks running the check admin referer) (function to access the debug mode that the Ad Inserter plugin provides. “These debugging features are normally only available to administrators and a Javascript block is included on almost every page when certain options are enabled, which includes a valid nonce for ai ajax backend action” says Wordfence. Once the attacker has a nonce available, he can immediately trigger the Debug feature and, even more dangerous, “exploit its ad preview feature by sending a malicious payload that contains arbitrary PHP code.” On 13 July, the plugins developer released a patch 2.4.22 which fixed the vulnerability of authenticated remote code execution after he was notified about the security fl. As shown in the WordPress marketplace entry of Ad Inserter plugin, only just over 50,000 installed it from an install base of over 200,000 websites until this story was published.