Skip to main content

Ads by WPQuads CVE-2026-54824

| EUVDEUVD-2026-39784 HIGH
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-26 audit@patchstack.com GHSA-jqm5-j5fc-x67x
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network read with no interaction (AV:N/AC:L/PR:N/UI:N); confidentiality set to L not H because the specific exposed data is unspecified and CWE-497 typically yields partial system/config disclosure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:32 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions.

AnalysisAI

Unauthenticated information disclosure in the Ads by WPQuads (Quick AdSense Reloaded) WordPress plugin versions 3.0.3 and earlier lets remote attackers read sensitive data without any credentials or user interaction. The flaw, reported by Patchstack and classified as CWE-497, exposes information to an unauthorized control sphere over the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running WPQuads <= 3.0.3
Exploit
Send unauthenticated HTTP request to plugin endpoint
Execution
Server returns sensitive data
Impact
Harvest exposed information

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has the Ads by WPQuads (Quick AdSense Reloaded) plugin installed and active at version 3.0.3 or earlier and that the vulnerable endpoint is reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a purely confidentiality-impacting, network-reachable, no-privilege, no-interaction flaw - easy to trigger but with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a vulnerable plugin endpoint on a public WordPress site running Ads by WPQuads <= 3.0.3 and receives sensitive data in the response without logging in. Because attack complexity is low and no user interaction is required, the request can be scripted and sprayed across many sites; no public exploit code has been identified at time of analysis.
Remediation No vendor-released patch version was identified in the available data; upgrade to the latest Ads by WPQuads release beyond 3.0.3 once the vendor's fixed version is confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-3-sensitive-data-exposure-vulnerability?_s_id=cve) or the plugin's WordPress.org changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running Ads by WPQuads version 3.0.3 or earlier; disable or deactivate the plugin if feasible; implement Web Application Firewall rules blocking exploitation patterns; assess scope of potentially exposed sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy