The Ads by WPQuads (Quick Adsense Reloaded) plugin contains a missing authorization check that permits users to invoke plugin functions beyond their role. This flaw, classified as CWE‑862, lets an attacker alter ad configurations, view ad statistics, or perform other privileged actions that should be restricted to administrators or editors. The potential impact is the compromise of the WordPress site’s editorial workflow and the unauthorized manipulation of advertising settings, which can lead to revenue loss and reputational damage.

All WordPress installations that have the Ads by WPQuads plugin version 2.0.87.1 or earlier installed are vulnerable. The issue spans every release from the initial build up to and including 2.0.87.1; no other WordPress core or plugins are specifically affected.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon and not widespread. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been widely exploited. Based on the description, the likely attack vector is via the plugin’s exposed HTTP endpoints, which can be accessed by any authenticated user lacking proper privileges; in the worst case the endpoint may be publicly reachable. No complex prerequisites are noted, so the attack may be accessible to a broad range of threat actors.