The Ads Pro WordPress plugin suffers a missing‑authorization flaw that allows privileged actions to be performed by users who lack the appropriate security clearance. This broken access control means attackers can execute functions intended only for trusted users, potentially altering ad configurations or accessing sensitive data stored within the plugin. The weakness is a classic example of improper authorization (CWE‑862) and could lead to unauthorized changes or data exposure if exercised by a malicious actor.

Vendors: scripteo; Product: Ads Pro plugin for WordPress. Versions affected are all releases up to and including 5.0, as identified by the CNA. The issue is present in every deployment that installs an instance of Ads Pro at or below 5.0, regardless of site magnitude or user role configuration.

The CVSS score of 5.4 places this vulnerability in the medium severity range. EPSS indicates a very low exploitation probability (<1%), and the flaw is not yet present in the CISA KEV catalog. While the attack surface is remote—an external actor can send crafted HTTP requests to the WordPress site—the need for correct configuration or user identity indicates that the flaw is most likely exploitable in environments where access controls are poorly enforced or where the plugin is accessible to non‑administrator users. This inference about the attack vector is drawn from the description. If exploited, an attacker could gain unauthorized privilege to manipulate ad settings or view data beyond their normal role.