Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The CM Ad Changer - A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the CM Ad Changer WordPress plugin (all versions ≤ 2.0.7) allows permanent, irreversible deletion of advertising campaigns, associated banner records, and uploaded media files without any attacker authentication. The root cause is absent or incorrect nonce validation in the cmac_campaigns_action function, meaning forged HTTP requests bypass WordPress's standard CSRF defenses entirely. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at the 2nd percentile, but the social-engineering bar - tricking one administrator into clicking a link - is low, making this a meaningful integrity risk for ad-dependent WordPress deployments.
Technical ContextAI
CM Ad Changer is a WordPress plugin for managing banner advertising campaigns. WordPress uses cryptographic nonce tokens tied to user sessions to protect state-changing actions against CSRF; their absence in cmac_campaigns_action (identified in backend/cm-ad-changer-backend.php at lines 167 and 177, and shared/classes/cmac-data.php at line 363) means any HTTP request carrying a valid admin session cookie - regardless of its origin - will be honored. CWE-352 (Cross-Site Request Forgery) describes exactly this class of flaw: the server cannot distinguish a legitimate admin action from one forged by a third-party page. The affected CPE is the CM Ad Changer plugin for WordPress across all releases through 2.0.7. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N reflects that no attacker privilege is needed and network delivery is straightforward, but a single user-interaction step (the admin click) is mandatory.
RemediationAI
The WordPress plugin Subversion repository contains a changeset (revision 3544026, referenced at plugins.trac.wordpress.org/changeset with old=3544026 and new=3544026 for cm-ad-changer) that appears to address this vulnerability; however, the exact version number of the patched release is not independently confirmed from the available data - administrators should check the WordPress plugin directory for a release newer than 2.0.7 and update immediately upon availability. As a compensating control until a confirmed patched release is installed, administrators can temporarily deactivate the CM Ad Changer plugin to eliminate the attack surface entirely - trade-off: banner campaigns will stop serving. Alternatively, a Web Application Firewall rule blocking POST requests to the cmac_campaigns_action endpoint from origins other than the site's own domain will mitigate CSRF delivery without disabling the plugin, though this depends on WAF capability. Restricting admin account access and enforcing phishing-resistant MFA reduces the social-engineering vector but does not eliminate the underlying flaw. The Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/a335c917-3fff-4079-bb38-64cd665c5c38 should be monitored for the confirmed patched version.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32051
GHSA-3r2q-jjrf-rg7x