Insecure Direct Object Reference in Broadstreet WordPress Plugin
CVE-2026-1881

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Broadstreet
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-1881?

The Broadstreet plugin for WordPress contains an Insecure Direct Object Reference vulnerability that affects all versions up to and including 1.52.2. This vulnerability arises from insufficient validation on a user-controlled key in the get_sponsored_meta AJAX action. As a result, authenticated attackers with Subscriber-level access and above can exploit this flaw to access and disclose private post metadata, posing a significant threat to user privacy and data integrity.

Affected Version(s)

Broadstreet 0 <= 1.52.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=%2F...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

Tarcísio Luchesi De Almeida Silva

CVE-2026-1881 Data

JSON