A critical vulnerability in the WordPress Adning Advertising plugin (8k+ installations) is currently actively exploited in the wild. It affects version 1.5.5 and below. A new version 1.5.6 was released on June 26th, 2020:
The vulnerability allows an unauthenticated user to upload any file via the WordPress AJAX API.
We have seen several hacked websites lately. It’s unclear yet if the plugin was patched because it was already exploited (zero-day) or if hackers detected the vulnerability after it was patched and publicly released, but the attack has been going on for at least a week or so.
Recommendations
Upgrade immediately if you have version 1.5.5 or below. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet