By 
A serious security fault in a WordPress plugin lets threat actors to remotely implement PHP code.
Stemming from the use of check_admin_referer() for authorization, the susceptibility is found in the Ad Inserter plugin, a plugin that is presently installed in more than 200,000 sites.
According to Bleeping Computer, Ad Inserter is an ad management plugin with many cutting-edge advertising features to insert ads at top positions and it comes with support for all kinds of ads including Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, Media.net and rotating banners.
The feature was precisely designed to defend WordPress sites against cross-site request forgery (CSRF) exploits using nonces or one-time tokens used for blocking expired and recurrent requests before WordPress discouraged the exercise.
The fault affects all WordPress websites where the Ad Inserter plugin version 2.4.21 or below is installed and those hit are invigorated to update instantly.
“In addition to obviously patching the plugin, we recommend WordPress administrators enforce a requirement for Multi-Factor Authentication (MFA) or adaptive authentication for all WordPress users, including both admins and subscribers,” Silverfort Chief Technology Officer Yaron Kassner told SC Media. “This would prevent attackers from authenticating to WordPress, even if they have credentials, and therefore protect the organization from attacks where an attacker hijacks a low-privileged account, and uses vulnerabilities such as this to elevate privileges and execute code.
