Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0.
AnalysisAI
Missing authorization in The Publisher Desk ads.txt WordPress plugin versions 1.5.0 and earlier allows unauthenticated remote attackers to bypass access controls and read sensitive configuration data through incorrectly configured access control levels. The vulnerability has a CVSS score of 5.3 (medium) with low real-world exploitation risk (EPSS 0.02%, percentile 4%). No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The Publisher Desk ads.txt plugin (CPE: cpe:2.3:a:publisherdesk:the_publisher_desk_ads.txt:*:*:*:*:*:*:*:*) implements access control mechanisms to restrict access to ads.txt configuration and management functionality. CWE-862 (Missing Authorization) indicates that the plugin fails to properly validate user permissions before allowing access to protected resources or API endpoints. This is a common vulnerability class in WordPress plugins where capability checks (is_user_logged_in(), current_user_can()) are either missing or improperly enforced. The vulnerability allows an unauthenticated user to access functionality that should require administrative or elevated privileges, resulting in confidentiality impact through information disclosure.
RemediationAI
Upgrade The Publisher Desk ads.txt plugin to version 1.5.1 or later, which includes authorization checks to properly enforce access control on protected endpoints and configuration pages. Site administrators should update the plugin immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Update). If an immediate update is unavailable, consider temporarily disabling the plugin until a patched version is released. Verify post-update that only authenticated administrators with appropriate capabilities can access ads.txt management functionality. Additional guidance and vulnerability details are available at https://patchstack.com/database/Wordpress/Plugin/the-publisher-desk-ads-txt/vulnerability/ and https://nvd.nist.gov/vuln/detail/CVE-2026-39698.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20396
GHSA-5w7m-5jqr-58r7