Skip to main content

Ads by WPQuads CVE-2026-42744

| EUVDEUVD-2026-32193 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-27 audit@patchstack.com GHSA-wp8r-g76w-ph6q
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:38 vuln.today

DescriptionCVE.org

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a through <= 3.0.2.

AnalysisAI

Unauthenticated manipulation of hidden input fields in Ads by WPQuads WordPress plugin (versions through 3.0.2) allows remote attackers to bypass input validation controls, producing low-severity integrity and availability impact. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input), enabling attackers to supply out-of-range or unexpected quantity values that the plugin fails to reject. EPSS is 0.06% (18th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, placing this firmly in lower-priority triage.

Technical ContextAI

The vulnerability exists in the 'quick-adsense-reloaded' WordPress plugin (Ads by WPQuads), versions up to and including 3.0.2. CWE-1284 describes a failure to validate that a numeric or quantity-type input falls within a permissible range or set of allowed values - the plugin does not sufficiently check quantity-related fields before processing them, allowing an attacker to inject or manipulate hidden form field values. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is reachable via standard HTTP requests without authentication or user interaction, consistent with a publicly exposed form or AJAX endpoint in the plugin. The S:U (unchanged scope) indicates exploitation is contained within the plugin's own security context and does not cross privilege boundaries.

RemediationAI

Update the Ads by WPQuads plugin to a version newer than 3.0.2; no specific patched version number was confirmed in the available intelligence data - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-2-bypass-vulnerability-vulnerability and the WordPress plugin repository for the current release. The patch status is 'patch available per vendor advisory' but the exact fixed version has not been independently confirmed from the provided data. As a compensating control if immediate patching is not feasible, consider using a WordPress WAF (such as Patchstack or Wordfence) with a virtual patch rule for this CVE to intercept malicious requests at the perimeter; note that WAF rules add latency and may produce false positives on legitimate ad configuration traffic. Disabling the plugin entirely eliminates the attack surface at the cost of ad delivery functionality.

Share

CVE-2026-42744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy