Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-accessible WordPress endpoint, low complexity, subscriber auth required (PR:L), integrity-only impact aligning with ad config manipulation.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Ads by WPQuads <= 3.0.3 versions.
AnalysisAI
Broken access control in the Ads by WPQuads WordPress plugin (versions <= 3.0.3) allows authenticated subscribers to perform privileged administrative actions they are explicitly unauthorized to execute. The flaw, classified under CWE-862 (Missing Authorization), results in high integrity impact with no confidentiality or availability effect, per the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress subscriber-level (or higher) authenticated session on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS score of 6.5 (Medium) is substantiated by the vector: network-reachable (AV:N), low complexity (AC:L), low-privilege prerequisite (PR:L), no user interaction (UI:N), and high integrity impact (I:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running Ads by WPQuads <= 3.0.3 - a common configuration on blogs and news sites with open registration. Using their valid session cookie, they send a crafted HTTP request (e.g., an admin-ajax.php POST or REST API call) targeting an inadequately protected endpoint in the plugin. … |
| Remediation | Update the Ads by WPQuads plugin to a version released after 3.0.3 - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-3-0-3-broken-access-control-vulnerability and the WordPress plugin repository for the patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40106
GHSA-g5p9-fm5v-5qqf