Skip to main content

Ads by WPQuads CVE-2026-42732

| EUVDEUVD-2026-32183 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-27 audit@patchstack.com GHSA-f3q8-x325-fc8h
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 22:21 vuln.today

DescriptionCVE.org

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through <= 3.0.2.

AnalysisAI

Input data manipulation in the Ads by WPQuads WordPress plugin (slug: quick-adsense-reloaded) versions up to and including 3.0.2 allows unauthenticated remote attackers to submit improperly validated input, resulting in low-impact integrity and availability degradation. Discovered and reported by Patchstack (audit@patchstack.com) and tracked under ENISA EUVD-2026-32183, this vulnerability carries a CVSS 6.5 base score. No public exploit code has been identified at time of analysis, and EPSS places exploitation probability at just 0.06% (18th percentile), indicating low real-world exploitation pressure currently.

Technical ContextAI

The affected component is the 'Ads by WPQuads' WordPress plugin (quick-adsense-reloaded), versions 0 through 3.0.2 inclusive, as confirmed by EUVD CPE-equivalent version range data. CWE-1284 (Improper Validation of Specified Quantity in Input) describes a class of flaws where a product receives a quantity or count value but fails to validate it against acceptable bounds, allowing attackers to supply out-of-range or malformed numeric/quantity inputs that the application processes incorrectly. In a WordPress ad management plugin context, this could manifest as manipulation of ad slot counts, impression counters, or similar numeric fields exposed through the plugin's front-end or AJAX endpoints. Notably, the Patchstack reference URL labels this a 'broken-authentication-vulnerability,' which diverges from both the NVD description and CWE classification - this inconsistency warrants independent vendor verification.

RemediationAI

No explicit patched version is identified in the available intelligence data - affected versions are stated as up to and including 3.0.2, but no confirmed fixed release version is cited by NVD, EUVD, or the Patchstack reference. Site operators should consult the WordPress Plugin Directory and the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-2-broken-authentication-vulnerability for the latest patched release. As a compensating control while awaiting a confirmed fix, administrators can deactivate the plugin on sites where ad serving is not critical, or restrict access to plugin-specific AJAX endpoints via WAF rules targeting the plugin's registered action hooks. Removing or disabling the plugin eliminates exposure entirely but loses ad functionality. Applying a WAF rule is lower-impact but may not fully mitigate the vulnerability if the affected endpoints are not precisely identified.

Share

CVE-2026-42732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy