Advanced Ads
CVE-2026-54816
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress plugin endpoint (AV:N); requires authenticated low-privilege account (PR:L); non-trivial conditions to trigger code injection (AC:H); PHP RCE yields full C/I/A impact within the site scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion.
This issue affects Advanced Ads: from n/a through 2.0.21.
AnalysisAI
Remote code execution in the Monetizemore Advanced Ads WordPress plugin through version 2.0.21 allows authenticated attackers with low privileges to inject and execute arbitrary code via a code injection flaw (CWE-94). The issue was disclosed by Patchstack and carries a CVSS 3.1 base score of 7.5 (high) with high attack complexity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a reachable WordPress instance running Monetizemore Advanced Ads at version 2.0.21 or earlier, (2) valid credentials for a low-privileged authenticated account on the target site (CVSS PR:L), and (3) the ability to satisfy the elevated attack complexity conditions implied by AC:H - typically a specific plugin state, configuration, or input handling path the attacker must reach. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.5) indicates network-reachable exploitation that nonetheless requires some low-privileged authenticated session and elevated attack complexity - meaning an attacker must overcome specific conditions (e.g., timing, configuration, or non-default state) beyond simply sending a request. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privileged WordPress account on a site running Advanced Ads <= 2.0.21, then sends a crafted request to a vulnerable plugin endpoint that causes attacker-controlled input to be evaluated or included as PHP code. Successful exploitation yields arbitrary code execution as the web server user, enabling webshell deployment, database theft, and full site takeover. … |
| Remediation | Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/advanced-ads/vulnerability/wordpress-advanced-ads-plugin-2-0-21-remote-code-execution-rce-vulnerability and update Advanced Ads to the first version above 2.0.21 published by Monetizemore. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations to identify Monetizemore Advanced Ads plugin deployments and document exact versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today