Patch now: Exploit released for WordPress plugin RCE bug

Users of the Woody Ad Snippets plugin are at risk

UPDATED Exploit code has been released for a popular WordPress plugin with over 90,000 installs.

The vulnerability could allow unauthenticated remote code execution (RCE) in Woody Ad Snippets – a plugin designed to streamline the process of adding header and ad-related content to WordPress websites.

The software – developed by Will Bontrager Software and Webcraftic – creates a library for code snippets that can be automatically added to pages via head, footer, and post injections.

GeneralEG and X-Vector have developed a proof-of-concept (PoC) exploit, which was recently released on GitHub.

Users should upgrade their plugins to the latest version as soon as possible in order to mitigate the risk of compromise.

Security vendor NinTechNet originally discovered the vulnerable code and reported the issue to the wordpress.org team on July 29.

The vulnerability has since been patched in Woody Ad Snippets version 2.2.5 as of July 31.

Before version 2.2.5, the admin/includes/class.import.snippet.php functionality of the plugin contained an unauthenticated options import issue.

An attacker is able to plant arbitrary exploit code on vulnerable systems after an unwitting administrator triggers a stored cross-site scripting (XSS) payload.

This exploit code would leave compromised WordPress installations wide open to attack.

Administrators can trigger the vulnerability simply by visiting or reloading the plugin's page.

Attackers do not need to have any form of authentication or privilege to trigger the exploit, which is straightforward enough to be compressed into a 600-byte payload.

On September 3 the vulnerability was assigned the tracker CVE-2019-15858 and defined as a medium-severity issue.

The National Vulnerability Database alert explains: “admin/includes/class.import.snippet.php in the ‘Woody ad snippets’ plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.”

A video by GeneralEG documenting potential attacks can be found on YouTube.

This article has been updated to remove a paragraph related to version 2.2.8 of Woody Ad Snippets, designed to resolve an additional plugin code exposure problem that could lead to JavaScript code execution.

The Daily Swig is investigating but at the time of writing it's as yet unclear whether this version, or the latest update of the plugin, version 2.2.9, actually resolves this issue.