Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.2.
AnalysisAI
Missing authorization in Broadstreet Ads WordPress plugin through version 1.52.2 allows authenticated users to bypass access controls and modify data, resulting in integrity and availability impact. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before executing sensitive operations. Exploitation requires valid user authentication but no special configuration or interaction.
Technical ContextAI
Broadstreet Ads is a WordPress plugin for managing advertising campaigns and inventory. The vulnerability is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to enforce proper privilege boundaries in its access control implementation. Authenticated users with lower privilege levels can exploit misconfigured security checks to perform actions intended for higher-privileged roles. The vulnerability affects the plugin across all versions through 1.52.2, suggesting the authorization bypass exists in core functionality rather than isolated features.
RemediationAI
Upgrade Broadstreet Ads to the patched version immediately following the vendor's release (version after 1.52.2 once available). Contact the Broadstreet development team or monitor their plugin repository for the security patch. Interim workaround: Restrict plugin access to trusted administrators only by using WordPress user role management; disable or remove the plugin from non-production environments until patching is complete. Note that disabling the plugin will halt advertising functionality, and role restriction may limit intended operational use - verify compatibility with site requirements before implementing. Apply the patch at the earliest convenient maintenance window to minimize service disruption.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29452
GHSA-qfh3-p8jm-v9fx