Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network read with no interaction (AV:N/AC:L/PR:N/UI:N); confidentiality set to L not H because the specific exposed data is unspecified and CWE-497 typically yields partial system/config disclosure.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions.
AnalysisAI
Unauthenticated information disclosure in the Ads by WPQuads (Quick AdSense Reloaded) WordPress plugin versions 3.0.3 and earlier lets remote attackers read sensitive data without any credentials or user interaction. The flaw, reported by Patchstack and classified as CWE-497, exposes information to an unauthorized control sphere over the network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target WordPress site has the Ads by WPQuads (Quick AdSense Reloaded) plugin installed and active at version 3.0.3 or earlier and that the vulnerable endpoint is reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a purely confidentiality-impacting, network-reachable, no-privilege, no-interaction flaw - easy to trigger but with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a vulnerable plugin endpoint on a public WordPress site running Ads by WPQuads <= 3.0.3 and receives sensitive data in the response without logging in. Because attack complexity is low and no user interaction is required, the request can be scripted and sprayed across many sites; no public exploit code has been identified at time of analysis. |
| Remediation | No vendor-released patch version was identified in the available data; upgrade to the latest Ads by WPQuads release beyond 3.0.3 once the vendor's fixed version is confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-3-sensitive-data-exposure-vulnerability?_s_id=cve) or the plugin's WordPress.org changelog. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress instances running Ads by WPQuads version 3.0.3 or earlier; disable or deactivate the plugin if feasible; implement Web Application Firewall rules blocking exploitation patterns; assess scope of potentially exposed sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39784
GHSA-jqm5-j5fc-x67x