Description
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer cm-ad-changer allows Cross Site Request Forgery.This issue affects CM Ad Changer: from n/a through <= 2.0.5.
Published: 2025-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CSRF) in the CreativeMindsSolutions CM Ad Changer plugin allows an attacker to forge a request on behalf of a logged‑in user by exploiting the lack of proper request validation. The flaw enables the unauthorized execution of any state‑changing action that the plugin provides, potentially compromising the integrity of the site’s configuration. This weakness is identified as CWE‑352.

Affected Systems

WordPress sites that use CM Ad Changer version 2.0.5 or earlier are affected. The plugin runs within any WordPress installation, and users or administrators with sufficient privileges on the site are at risk. No specific operating system or PHP version constraints are noted; the exposure applies broadly to any WordPress deployment with the vulnerable plugin.

Risk and Exploitability

The CVSS score of 4.3 denotes a moderate impact, while the EPSS score of less than 1 % indicates that exploitation is unlikely at present. The flaw is not listed in CISA’s KEV catalog, further suggesting limited public exploitation. Based on the description, the attack vector requires an authenticated user to be tricked into visiting a malicious payload, so the likelihood is constrained to environments where administrators or privileged users have network access to the site. Administrators should treat the issue as moderate risk but proactive patching is recommended.

Generated by OpenCVE AI on May 2, 2026 at 08:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CM Ad Changer plugin to the latest version, where the CSRF vulnerability has been fixed.
  • If an upgrade is not immediately possible, temporarily disable or uninstall the CM Ad Changer plugin to eliminate the attack surface.
  • Add CSRF protection, such as unique nonces for administrative requests, to the plugin or surrounding code to mitigate the flaw if a patch is not available.

Generated by OpenCVE AI on May 2, 2026 at 08:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12297 Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer allows Cross Site Request Forgery. This issue affects CM Ad Changer: from n/a through 2.0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer allows Cross Site Request Forgery. This issue affects CM Ad Changer: from n/a through 2.0.5. Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer cm-ad-changer allows Cross Site Request Forgery.This issue affects CM Ad Changer: from n/a through <= 2.0.5.
Title WordPress CM Ad Changer <= 2.0.5 - Cross Site Request Forgery (CSRF) Vulnerability WordPress CM Ad Changer plugin <= 2.0.5 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 29 Apr 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Cminds
Cminds cm Ad Changer
CPEs cpe:2.3:a:cminds:cm_ad_changer:*:*:*:*:*:wordpress:*:*
Vendors & Products Cminds
Cminds cm Ad Changer

Tue, 22 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer allows Cross Site Request Forgery. This issue affects CM Ad Changer: from n/a through 2.0.5.
Title WordPress CM Ad Changer <= 2.0.5 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Cminds Cm Ad Changer
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.070Z

Reserved: 2025-04-22T09:21:43.074Z

Link: CVE-2025-46245

cve-icon Vulnrichment

Updated: 2025-04-22T16:21:07.961Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:18.750

Modified: 2026-04-23T15:29:56.683

Link: CVE-2025-46245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses