Webmasters who use WordPress plugin Adning Advertising are urged to patch against a critical vulnerability that is reportedly being exploited in the wild. Exploitation of the flaw enables an unauthenticated attacker to upload arbitrary files, leading to remote code execution (RCE) and potentially a full site takeover.
Such is the flaw’s seriousness, MITRE has assigned it the highest possible CVSS score – 10.0.
Remote Code Execution (RCE) remains one of the most dangerous exploits in the cybercriminal arsenal. RCE allows criminals to run what they want on the server they exploit. Some of the largest data breaches, like the Equifax attack, started with an RCE attack.
Traditional application security tools like Web Application Firewalls (WAFs) have a tough time with RCE attacks because they typically rely on understanding a past RCE attack to detect a new zero-day attack. RASP (Runtime Application Self-Protection) solutions sit on the server and have a better understanding of the application. A RASP can \”see\” when code that shouldn\’t be there gets to run and can help stop RCE attacks.
Developers can also implement good coding practices to reduce the risk of RCE when writing and creating a web application. In addition to making sure they have application security, the simplest thing any organization can do to help reduce vulnerabilities is to keep their code up to date and patched.