The Advanced Ads – Ad Manager & AdSense plugin is vulnerable to an authorization bypass that occurs in the placement_update_item() function. The plugin does not correctly verify that the acting user has the proper capability before allowing changes to an ad placement. This flaw lets any authenticated user who has subscriber-level access or higher in WordPress change the ad or ad group that a placement serves, thereby giving an attacker direct control over how ads are displayed on the site. The weakness is a form of CWE‑284, an authorization bypass that can lead to unauthorized modification of site content and potential revenue loss.

All installations of the monetizemore Advanced Ads – Ad Manager & AdSense WordPress plugin up to and including version 2.0.14 are affected. The issue resides within the plugin’s core admin code and is relevant only to sites that have deployed these plugins on a WordPress installation.

The CVSS score of 4.3 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates it is unlikely to be widely exploited at present. It was not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation. The attack vector requires an authenticated user with subscriber-level or higher privileges; thus, any user who can log into the WordPress admin area could potentially abuse the flaw if no stricter role restrictions are in place. While the impact is limited to ad placement modification, it can compromise the site's advertising revenue, brand presentation, or provide a platform for malicious advertising.