What the vulnerability does
01Description
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible.
Explanation of Vulnerability in Simple Terms
02Summary
Advanced Ads allows unauthenticated attackers to inject and execute arbitrary code through the plugin's ad management functionality. The vulnerability exists in versions up to 2.0.12 and requires no user interaction. An attacker can exploit this to modify site content, steal data, or compromise the WordPress installation.
What an attacker can do
03Attacker Capabilities
Inject and run arbitrary code on the site without authentication.
Potential impact on your site
04Site Impact
Attackers can modify ads, steal visitor data, inject malware, or take control of the WordPress site.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 1, 2025
CVE published
April 8, 2026
Record updated