WordPress Plugin Vulnerabilities

Advanced Ads < 2.0.15 - Editor+ Remote Code Execution via Shortcode

Description

The plugin is vulnerable to Remote Code Execution via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.

Affects Plugins

Plugin icon
advanced-ads
Fixed in 2.0.15

References

CVE
CVE-2025-13592
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
NosleeP++
Verified
No
WPVDB ID
a9c8baea-0e7e-49be-81e6-6a9a175955a6

Timeline

Publicly Published
2025-12-29 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-01-05 (about 4 months ago)

Other

Published
Title
Published
2024-10-14
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.122 - Authenticated (Editor+) Remote Code Execution
Published
2023-09-26
Title
Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution
Published
2025-03-26
Title
PDF for WPForms < 5.3.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2020-03-05
Title
WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)
Published
2025-05-07
Title
Ultimate Member <= 2.10.3 - Admin+ Arbitrary Function Call