Insecure Direct Object Reference in Ad Inserter β Ad Manager & AdSense Ads Plugin for WordPress
CVE-2026-11900
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-11900?
The Ad Inserter β Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference due to inadequate user capability checks. Specifically, the functionality in the replace_ai_tags() method allows authenticated users with Contributor-level access or higher to exploit the 'data' attribute of the [adinserter] shortcode. This oversight enables attackers to read the content of arbitrary posts, including those that are Private, Draft, Pending, Trashed, or password-protected, by embedding the shortcode in a post they control and previewing it. The flaw persists in versions up to and including 2.8.16 and necessitates immediate attention for users to safeguard sensitive content.
Affected Version(s)
Ad Inserter β Ad Manager & AdSense Ads 0 <= 2.8.16