Bypass Vulnerability in XML-RPC API for Affected WordPress Plugin
CVE-2026-50741

8.8HIGH

Key Information:

Vendor: Revive
Status: Adserver
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-50741?

This vulnerability allows an attacker to bypass the existing fix for a related security issue by submitting a disallowed yet valid plugin identifier through the 'type' parameter or by utilizing the 'ox.setChannelTargeting' method of the XML-RPC API. This bypass can potentially allow unauthorized actions within the WordPress ecosystem, emphasizing the need for heightened security measures and monitoring in plugin implementations.

Affected Version(s)

Adserver 0 <= 6.0.7

References

https://hackerone.com/reports/3780854

https://hackerone.com/reports/3781492

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 6, 2026

Credit

Rio Darmawan (riodrwn)

Mikhail Ilin (doomtech)

CVE-2026-50741 Data

JSON

Revive

What is CVE-2026-50741?

Affected Version(s)

References

CVSS V3.0

Timeline

Credit