Cross-Site Request Forgery Vulnerability in CM Ad Changer Plugin for WordPress
CVE-2026-9236

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Cm Ad Changer – A Simple Tool To Control And Optimize Your Site's Banners
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9236?

The CM Ad Changer plugin for WordPress is compromised by a Cross-Site Request Forgery vulnerability due to inadequate nonce validation on the cmac_campaigns_action function. This weakness enables unauthenticated attackers to craft deceptive requests that can force site administrators into executing unintended actions. By tricking an admin into clicking a malicious link, an attacker could permanently erase advertising campaigns along with their associated records and any linked uploaded files. This flaw exists in all prior versions leading up to and including 2.0.7, underscoring the importance of timely updates and security measures.

Affected Version(s)

CM Ad Changer – A simple tool to control and optimize your site's banners 0 <= 2.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cm-ad-changer/...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 21, 2026

Credit

jamaal

CVE-2026-9236 Data

JSON