Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through <= 3.0.2.
AnalysisAI
Input data manipulation in the Ads by WPQuads WordPress plugin (slug: quick-adsense-reloaded) versions up to and including 3.0.2 allows unauthenticated remote attackers to submit improperly validated input, resulting in low-impact integrity and availability degradation. Discovered and reported by Patchstack (audit@patchstack.com) and tracked under ENISA EUVD-2026-32183, this vulnerability carries a CVSS 6.5 base score. No public exploit code has been identified at time of analysis, and EPSS places exploitation probability at just 0.06% (18th percentile), indicating low real-world exploitation pressure currently.
Technical ContextAI
The affected component is the 'Ads by WPQuads' WordPress plugin (quick-adsense-reloaded), versions 0 through 3.0.2 inclusive, as confirmed by EUVD CPE-equivalent version range data. CWE-1284 (Improper Validation of Specified Quantity in Input) describes a class of flaws where a product receives a quantity or count value but fails to validate it against acceptable bounds, allowing attackers to supply out-of-range or malformed numeric/quantity inputs that the application processes incorrectly. In a WordPress ad management plugin context, this could manifest as manipulation of ad slot counts, impression counters, or similar numeric fields exposed through the plugin's front-end or AJAX endpoints. Notably, the Patchstack reference URL labels this a 'broken-authentication-vulnerability,' which diverges from both the NVD description and CWE classification - this inconsistency warrants independent vendor verification.
RemediationAI
No explicit patched version is identified in the available intelligence data - affected versions are stated as up to and including 3.0.2, but no confirmed fixed release version is cited by NVD, EUVD, or the Patchstack reference. Site operators should consult the WordPress Plugin Directory and the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-2-broken-authentication-vulnerability for the latest patched release. As a compensating control while awaiting a confirmed fix, administrators can deactivate the plugin on sites where ad serving is not critical, or restrict access to plugin-specific AJAX endpoints via WAF rules targeting the plugin's registered action hooks. Removing or disabling the plugin eliminates exposure entirely but loses ad functionality. Applying a WAF rule is lower-impact but may not fully mitigate the vulnerability if the affected endpoints are not precisely identified.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32183
GHSA-f3q8-x325-fc8h