Skip to main content

Ad Inserter Ad Manager Adsense Ads

1 CVEs product

Monthly

CVE-2026-11900 MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD
CVSS 3.1
4.3
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy