Skip to main content

The Publisher Desk Ads Txt CVE-2026-39698

| EUVDEUVD-2026-20396 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-5w7m-5jqr-58r7
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20396
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0.

AnalysisAI

Missing authorization in The Publisher Desk ads.txt WordPress plugin versions 1.5.0 and earlier allows unauthenticated remote attackers to bypass access controls and read sensitive configuration data through incorrectly configured access control levels. The vulnerability has a CVSS score of 5.3 (medium) with low real-world exploitation risk (EPSS 0.02%, percentile 4%). No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The Publisher Desk ads.txt plugin (CPE: cpe:2.3:a:publisherdesk:the_publisher_desk_ads.txt:*:*:*:*:*:*:*:*) implements access control mechanisms to restrict access to ads.txt configuration and management functionality. CWE-862 (Missing Authorization) indicates that the plugin fails to properly validate user permissions before allowing access to protected resources or API endpoints. This is a common vulnerability class in WordPress plugins where capability checks (is_user_logged_in(), current_user_can()) are either missing or improperly enforced. The vulnerability allows an unauthenticated user to access functionality that should require administrative or elevated privileges, resulting in confidentiality impact through information disclosure.

RemediationAI

Upgrade The Publisher Desk ads.txt plugin to version 1.5.1 or later, which includes authorization checks to properly enforce access control on protected endpoints and configuration pages. Site administrators should update the plugin immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Update). If an immediate update is unavailable, consider temporarily disabling the plugin until a patched version is released. Verify post-update that only authenticated administrators with appropriate capabilities can access ads.txt management functionality. Additional guidance and vulnerability details are available at https://patchstack.com/database/Wordpress/Plugin/the-publisher-desk-ads-txt/vulnerability/ and https://nvd.nist.gov/vuln/detail/CVE-2026-39698.

Share

CVE-2026-39698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy