Insecure Direct Object Reference in Ad Inserter – Ad Manager & AdSense Ads Plugin for WordPress
CVE-2026-11900

4.3MEDIUM

What is CVE-2026-11900?

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference due to inadequate user capability checks. Specifically, the functionality in the replace_ai_tags() method allows authenticated users with Contributor-level access or higher to exploit the 'data' attribute of the [adinserter] shortcode. This oversight enables attackers to read the content of arbitrary posts, including those that are Private, Draft, Pending, Trashed, or password-protected, by embedding the shortcode in a post they control and previewing it. The flaw persists in versions up to and including 2.8.16 and necessitates immediate attention for users to safeguard sensitive content.

Affected Version(s)

Ad Inserter – Ad Manager & AdSense Ads 0 <= 2.8.16

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nightward
.