Description
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
Published: 2026-07-03
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress contains an insecure direct object reference that lets authenticated users with Contributor level or higher read the full content of any post. By inserting the [adinserter] shortcode with a 'data' attribute that includes a {reusable-block-N} tag, the plugin calls get_post_field('post_content', N) without checking the user's capability, the post type, or the post status. As a result, an attacker can retrieve private, draft, pending, trashed, or password‑protected content belonging to other users, which is a classic CWE-639 vulnerability.

Affected Systems

All WordPress sites that have the Ad Inserter plugin installed in any version up to and including 2.8.16 are affected. The vulnerability only requires the attacker to possess at least Contributor permissions and to be able to place the shortcode in a post they own and preview it.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as medium impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that large‑scale exploitation has not been observed. Exploitation requires local authenticated access and the ability to preview a post containing the shortcode. It does not provide remote code execution or denial of service; the risk is limited to confidentiality loss of post content.

Generated by OpenCVE AI on July 4, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ad Inserter plugin to the latest release that includes a fix for the insecure direct object reference; check the plugin changelog for a description of the correction.
  • If a newer release cannot be applied immediately, remove or disable the [adinserter] shortcode from all posts and pages, thereby eliminating the trigger for the vulnerability.
  • Restrict Contributor and other privileged roles to only the capabilities they require, and consider preventing those roles from accessing or previewing private or draft posts to limit the potential impact.

Generated by OpenCVE AI on July 4, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spacetime
Spacetime ad Inserter – Ad Manager & Adsense Ads
Wordpress
Wordpress wordpress
Vendors & Products Spacetime
Spacetime ad Inserter – Ad Manager & Adsense Ads
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
Title Ad Inserter <= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure via 'data' Shortcode Attribute
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Spacetime Ad Inserter – Ad Manager & Adsense Ads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T07:53:08.023Z

Reserved: 2026-06-10T15:43:26.797Z

Link: CVE-2026-11900

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T05:00:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key