Skip to main content

Advanced Ads CVE-2026-54816

HIGH
Code Injection (CWE-94)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint (AV:N); requires authenticated low-privilege account (PR:L); non-trivial conditions to trigger code injection (AC:H); PHP RCE yields full C/I/A impact within the site scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:24 vuln.today

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion.

This issue affects Advanced Ads: from n/a through 2.0.21.

AnalysisAI

Remote code execution in the Monetizemore Advanced Ads WordPress plugin through version 2.0.21 allows authenticated attackers with low privileges to inject and execute arbitrary code via a code injection flaw (CWE-94). The issue was disclosed by Patchstack and carries a CVSS 3.1 base score of 7.5 (high) with high attack complexity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Identify vulnerable Advanced Ads endpoint
Exploit
Send crafted code-injection request
Execution
Trigger PHP code evaluation/inclusion
Persist
Drop webshell as web user
Impact
Pivot to full site and database compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a reachable WordPress instance running Monetizemore Advanced Ads at version 2.0.21 or earlier, (2) valid credentials for a low-privileged authenticated account on the target site (CVSS PR:L), and (3) the ability to satisfy the elevated attack complexity conditions implied by AC:H - typically a specific plugin state, configuration, or input handling path the attacker must reach. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.5) indicates network-reachable exploitation that nonetheless requires some low-privileged authenticated session and elevated attack complexity - meaning an attacker must overcome specific conditions (e.g., timing, configuration, or non-default state) beyond simply sending a request. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privileged WordPress account on a site running Advanced Ads <= 2.0.21, then sends a crafted request to a vulnerable plugin endpoint that causes attacker-controlled input to be evaluated or included as PHP code. Successful exploitation yields arbitrary code execution as the web server user, enabling webshell deployment, database theft, and full site takeover. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/advanced-ads/vulnerability/wordpress-advanced-ads-plugin-2-0-21-remote-code-execution-rce-vulnerability and update Advanced Ads to the first version above 2.0.21 published by Monetizemore. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations to identify Monetizemore Advanced Ads plugin deployments and document exact versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy