Impact
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress contains an insecure direct object reference that lets authenticated users with Contributor level or higher read the full content of any post. By inserting the [adinserter] shortcode with a 'data' attribute that includes a {reusable-block-N} tag, the plugin calls get_post_field('post_content', N) without checking the user's capability, the post type, or the post status. As a result, an attacker can retrieve private, draft, pending, trashed, or password‑protected content belonging to other users, which is a classic CWE-639 vulnerability.
Affected Systems
All WordPress sites that have the Ad Inserter plugin installed in any version up to and including 2.8.16 are affected. The vulnerability only requires the attacker to possess at least Contributor permissions and to be able to place the shortcode in a post they own and preview it.
Risk and Exploitability
The CVSS score of 4.3 classifies the issue as medium impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that large‑scale exploitation has not been observed. Exploitation requires local authenticated access and the ability to preview a post containing the shortcode. It does not provide remote code execution or denial of service; the risk is limited to confidentiality loss of post content.
OpenCVE Enrichment