Skip to main content

Ad Inserter CVE-2026-11900

| EUVDEUVD-2026-41520 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-03 Wordfence GHSA-ppgc-36hr-q23g
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Requires network access and Contributor-level auth (PR:L); post ID enumeration is trivial (AC:L); impact limited to partial post content disclosure (C:L), no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 09:16 vuln.today
CVE Published
Jul 03, 2026 - 07:53 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Ad Inserter - Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

AnalysisAI

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Contributor-level WordPress account
Delivery
Insert {reusable-block-N} shortcode into a draft post
Exploit
Trigger WordPress post preview to execute shortcode server-side
Execution
replace_ai_tags() calls get_post_field() without authorization check
Impact
Full content of target post returned in preview response

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Contributor-level role, which grants the ability to create posts and use the post preview feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 score (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterizes the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a Contributor-level WordPress account creates a new post containing the shortcode [adinserter data="{reusable-block-N}"] where N is any post ID on the site - IDs are sequential integers easily enumerated by incrementing from 1. By using the WordPress post preview feature, the shortcode is rendered server-side, and replace_ai_tags() fetches and returns the full content of the target post regardless of its Private, Draft, or password-protected status. …
Remediation A patch has been committed to the WordPress plugin repository as changeset 3591792 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591792%40ad-inserter&new=3591792%40ad-inserter&sfph_mail=); however, the exact patched release version number is not confirmed in the available data, so administrators should update Ad Inserter to the latest version available in the WordPress plugin directory and verify the installed version exceeds 2.8.16. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy