Description
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass – Unauthorized Deletion of Plugin Configuration
Action: Patch Immediately
AI Analysis

Impact

The Takeads WordPress plugin weakens authorization controls by failing to verify that a user is permitted to delete the plugin’s configuration options. An attacker who can authenticate to the site with subscriber-level access or higher can exploit this flaw to permanently remove the plugin’s settings, disrupting advertising functionality and potentially allowing further configuration changes.

Affected Systems

WordPress installations that employ the Takeads plugin version 1.0.13 or earlier are susceptible to this issue. No other versions or other plugins are listed as affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating a moderate compromise of system integrity. Because the EPSS score is reported as < 1%, the likelihood of exploitation is deemed low, and the vulnerability is not presently listed in the CISA KEV catalog. Exploitation requires a valid authenticated session, so the attack vector is essentially an authenticated request, likely via the plugin’s Ajax endpoint. The impact is limited to a removal of configuration but could impair site operation if the plugin is critical. The overall risk is moderate but mitigated by the need for authentication and the low probability of active exploitation in the wild.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately upgrade the Takeads plugin to the latest release that includes proper authorization checks.
  • If an update cannot be applied, deactivate or uninstall the plugin until a fixed version is available.
  • Restrict subscriber and lower-level WordPress roles from accessing plugin settings by tightening role capabilities or removing unnecessary permissions.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options.
Title Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:55.360Z

Reserved: 2025-10-27T20:15:45.237Z

Link: CVE-2025-12370

cve-icon Vulnrichment

Updated: 2026-01-07T17:08:54.697Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:07.233

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses