Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Requires network access and Contributor-level auth (PR:L); post ID enumeration is trivial (AC:L); impact limited to partial post content disclosure (C:L), no integrity or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ad Inserter - Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
AnalysisAI
Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Contributor-level role, which grants the ability to create posts and use the post preview feature. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 score (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterizes the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Contributor-level WordPress account creates a new post containing the shortcode [adinserter data="{reusable-block-N}"] where N is any post ID on the site - IDs are sequential integers easily enumerated by incrementing from 1. By using the WordPress post preview feature, the shortcode is rendered server-side, and replace_ai_tags() fetches and returns the full content of the target post regardless of its Private, Draft, or password-protected status. … |
| Remediation | A patch has been committed to the WordPress plugin repository as changeset 3591792 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591792%40ad-inserter&new=3591792%40ad-inserter&sfph_mail=); however, the exact patched release version number is not confirmed in the available data, so administrators should update Ad Inserter to the latest version available in the WordPress plugin directory and verify the installed version exceeds 2.8.16. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41520
GHSA-ppgc-36hr-q23g