Description
Cross-Site Request Forgery (CSRF) vulnerability in Broadstreet Broadstreet Ads broadstreet allows Cross Site Request Forgery.This issue affects Broadstreet Ads: from n/a through <= 1.52.1.
Published: 2025-04-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Broadstreet Ads WordPress plugin contains a Cross‑Site Request Forgery flaw (CWE‑352) that allows a malicious actor, who tricks a logged‑in user into visiting a forged URL, to modify the plugin’s configuration settings. The attacker cannot obtain credentials or execute arbitrary code, but can alter advertising behavior, potentially causing revenue loss or degrading user experience.

Affected Systems

The vulnerability affects every installation of the Broadstreet Ads WordPress plugin up to and including version 1.52.1. Users of older or unpatched versions should verify the current plugin version and plan a timely upgrade.

Risk and Exploitability

The CVSS score of 4.3 and an EPSS score of less than 1 % place this issue in the low‑to‑medium severity range, and it is not listed in the CISA KEV catalog. A typical exploitation path requires a victim who is logged into the WordPress administrator interface to unknowingly follow a crafted link; because the attack works through the user’s browser, it does not need direct access to the server, but it relies on social‑engineering tactics.

Generated by OpenCVE AI on May 1, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Broadstreet Ads plugin to version 1.52.2 or later, which removes the CSRF flaw.
  • Until the update is applied, disable or lock the plugin’s settings editing interface so that only users with a specific capability (e.g., site administrators) can modify advertising options.
  • Verify that all WordPress administrative forms contain proper CSRF nonce verification; install a security plugin that adds nonce checks if your theme or other plugins lack them.

Generated by OpenCVE AI on May 1, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9779 Cross-Site Request Forgery (CSRF) vulnerability in Broadstreet Broadstreet allows Cross Site Request Forgery. This issue affects Broadstreet: from n/a through 1.51.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Broadstreet Broadstreet allows Cross Site Request Forgery. This issue affects Broadstreet: from n/a through 1.51.1. Cross-Site Request Forgery (CSRF) vulnerability in Broadstreet Broadstreet Ads broadstreet allows Cross Site Request Forgery.This issue affects Broadstreet Ads: from n/a through <= 1.52.1.
Title WordPress Broadstreet Plugin <= 1.51.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability WordPress Broadstreet plugin <= 1.52.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 04 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Broadstreet Broadstreet allows Cross Site Request Forgery. This issue affects Broadstreet: from n/a through 1.51.1.
Title WordPress Broadstreet Plugin <= 1.51.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:20.313Z

Reserved: 2025-04-04T10:02:22.507Z

Link: CVE-2025-32270

cve-icon Vulnrichment

Updated: 2025-04-04T18:58:22.822Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:38.213

Modified: 2026-04-23T15:28:52.557

Link: CVE-2025-32270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses