Description
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-01-17
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection leading to sensitive data extraction
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Advanced Ads – Ad Manager & AdSense WordPress plugin and allows an authenticated user with Administrator privileges or higher to inject arbitrary SQL statements through the unescaped 'order' parameter. Because the plugin concatenates this parameter directly into a query without proper preparation or escaping, an attacker can append additional commands to the original query, potentially extracting confidential information such as user credentials, system configuration, or other sensitive content.

Affected Systems

WordPress sites running the Advanced Ads – Ad Manager & AdSense plugin for any release through version 2.0.15 are affected. The issue is isolated to the plugin’s admin interface; standard WordPress core functions are not directly impacted.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of active exploitation in the wild, and the vulnerability is not noted in the CISA KEV catalog. Exploitation requires legitimate Administrator credentials or higher, so the attack surface is limited to sites with insecure admin access management. An attacker who can authenticate can construct injection payloads through the 'order' field to read or manipulate database rows.

Generated by OpenCVE AI on April 21, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Advanced Ads – Ad Manager & AdSense plugin to the latest version that removes the vulnerable code path (at least version 2.0.16).
  • Modify user role permissions so that only trusted accounts have Administrator or higher access, and enforce strong authentication for those accounts.
  • Configure a Web Application Firewall or equivalent filtering to block suspicious SQL injection patterns on the plugin’s admin endpoints.

Generated by OpenCVE AI on April 21, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Monetizemore
Monetizemore advanced Ads
Wordpress
Wordpress wordpress
Vendors & Products Monetizemore
Monetizemore advanced Ads
Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Advanced Ads – Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Monetizemore Advanced Ads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:47.406Z

Reserved: 2025-11-10T21:16:00.943Z

Link: CVE-2025-12984

cve-icon Vulnrichment

Updated: 2026-01-21T16:08:02.685Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T07:16:00.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses