Description
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
Published: 2026-05-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Broadstreet WordPress plugin contains an insecure direct object reference flaw in its get_sponsored_meta AJAX action, allowing authenticated users with Subscriber level or higher to retrieve any private post metadata, effectively leaking information intended to be restricted. The weakness is identified by CWE-639.

Affected Systems

WordPress sites that use the Broadstreet plugin version 1.52.2 or earlier are vulnerable, regardless of other plugins or theme configurations.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. Attacking requires simply authenticating with a subscriber or higher role and invoking the exposed AJAX endpoint, which is straightforward and incurs no significant effort.

Generated by OpenCVE AI on May 21, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Broadstreet plugin to version 1.53.2 or later to remove the vulnerability.
  • If an upgrade is not immediately feasible, restrict the get_sponsored_meta AJAX action to administrators only via role checks or permission filters.
  • Patch or replace the AJAX handler to validate the requested post ID against the current user's permissions before returning metadata, ensuring no direct object reference is possible.

Generated by OpenCVE AI on May 21, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Broadstreetads
Broadstreetads broadstreet
Wordpress
Wordpress wordpress
Vendors & Products Broadstreetads
Broadstreetads broadstreet
Wordpress
Wordpress wordpress

Thu, 21 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
Title Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Broadstreetads Broadstreet
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-21T14:24:56.187Z

Reserved: 2026-02-04T12:39:42.839Z

Link: CVE-2026-1881

cve-icon Vulnrichment

Updated: 2026-05-21T14:03:11.091Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T02:16:32.437

Modified: 2026-05-21T15:19:30.540

Link: CVE-2026-1881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T03:30:45Z

Weaknesses