AdSanity, AccessPress Plugins Open Scads of WordPress Sites to Takeover

A critical security bug and a months-long, ongoing supply-chain attack spell trouble for WordPress users.

The WordPress content management system (CMS) is offering admins more headaches this week, thanks to a pair of disparate but concerning security problems in add-ons for the platform.

The first issue affects the WordPress AdSanity plugin. It’s a critical security vulnerability that could allow remote code execution (RCE) and full site takeovers.

The second problem concerns a classic supply-chain attack, in which cybercriminals compromised 40 themes and 53 plugins belonging to AccessPress Themes in order to inject them with a webshell. Thus, any website that installed one of the compromised add-ons is also open to RCE and full takeover.

AdSanity Plugin Allows RCE

AdSanity is a light ad rotator plugin for WordPress. It allows the user to create and manage ads shown on a website as well as keep statistics on views and clicks, all through a centralized dashboard.

The bug, which carries a concerning 9.9 out of 10 rating on the CVSS vulnerability-severity scale, “could allow a low-privilege user to perform arbitrary file upload, remote code execution and stored cross-site scripting attacks,” according to researchers at the

Read More: https://threatpost.com/adsanity-accesspress-plugins-wordpress-sites-takeover/177932/