Skip to main content

Ads by WPQuads CVE-2026-57335

| EUVDEUVD-2026-40106 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 Patchstack GHSA-g5p9-fm5v-5qqf
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress endpoint, low complexity, subscriber auth required (PR:L), integrity-only impact aligning with ad config manipulation.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:22 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Ads by WPQuads <= 3.0.3 versions.

AnalysisAI

Broken access control in the Ads by WPQuads WordPress plugin (versions <= 3.0.3) allows authenticated subscribers to perform privileged administrative actions they are explicitly unauthorized to execute. The flaw, classified under CWE-862 (Missing Authorization), results in high integrity impact with no confidentiality or availability effect, per the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber account
Delivery
Authenticate to WordPress site
Exploit
Identify unprotected plugin endpoint
Execution
Send crafted privileged request as subscriber
Persist
Bypass missing capability check
Impact
Modify or inject ad configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level (or higher) authenticated session on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 6.5 (Medium) is substantiated by the vector: network-reachable (AV:N), low complexity (AC:L), low-privilege prerequisite (PR:L), no user interaction (UI:N), and high integrity impact (I:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Ads by WPQuads <= 3.0.3 - a common configuration on blogs and news sites with open registration. Using their valid session cookie, they send a crafted HTTP request (e.g., an admin-ajax.php POST or REST API call) targeting an inadequately protected endpoint in the plugin. …
Remediation Update the Ads by WPQuads plugin to a version released after 3.0.3 - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-3-broken-access-control-vulnerability and the WordPress plugin repository for the patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy