WordPress Plugin Vulnerabilities

Advanced Ads – Ad Manager & AdSense < 2.0.15 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update

Description

The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves.

Affects Plugins

Plugin icon
advanced-ads
Fixed in 2.0.15

References

CVE
CVE-2025-12884
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ad32fb-929e-4181-8789-df50a77a71ef

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Supakiad S. (m3ez)
Verified
No
WPVDB ID
096abc6c-9fdc-4b5d-a700-e4821ba1a177

Timeline

Publicly Published
2026-02-18 (about 3 months ago)
Added
2026-02-18 (about 3 months ago)
Last Updated
2026-02-19 (about 3 months ago)

Other

Published
Title
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated Arbitrary Post Deletion
Published
2021-04-06
Title
WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update
Published
2024-03-20
Title
WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification
Published
2021-07-19
Title
RestroPress < 2.8.3.1 - Unauthorised AJAX Calls
Published
2024-05-23
Title
Event post < 5.9.5 - Missing Authorization