Impact
The vulnerability is a subscriber‑level broken access control in versions of the WordPress Ads by WPQuads plugin up to 3.0.3. The plugin fails to enforce proper role checks, allowing authenticated subscribers to perform privileged actions that should be restricted to administrators. This permits an attacker who has a subscriber account to manipulate or delete ad settings, potentially affecting site revenue or user experience. The weakness is mapped to CWE‑862, which signifies unauthorized access to privileged functions.
Affected Systems
WordPress sites using the Ads by WPQuads plugin, versions 3.0.3 and earlier. The vendor noted the problem for Ads WPQuads: Ads by WPQuads, and affected all WordPress installations that had this plugin deployed without upgrading beyond 3.0.3.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. EPSS is not available, so the exploitation probability remains uncertain. The vulnerability is known to be in use on live sites and is not listed in the CISA KEV catalog. Attackers would require a valid subscriber account and access to the plugin’s administrative interface; a likely attack vector is through the plugin’s configuration pages or associated REST endpoints, though this inference is based on the described lack of role checks. Because the privilege escalation is limited to the subscriber role, the impact is confined to unauthorized configuration changes, which can compromise the integrity of the site’s advertising functions.
OpenCVE Enrichment