What the vulnerability does
01Description
The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.
Explanation of Vulnerability in Simple Terms
02Summary
Advanced Ads allows high-privilege users to inject and execute arbitrary code through an unvalidated input field. An attacker with admin or editor access can craft malicious input that runs as PHP on the site, compromising the entire installation. All versions up to 2.0.14 are affected. Update immediately to a version newer than 2.0.14.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full server privileges.
Potential impact on your site
04Site Impact
A compromised admin account can execute code, steal data, modify content, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have admin or editor-level access to the WordPress site.
Key dates
06Disclosure timeline
December 29, 2025
CVE published
April 8, 2026
Record updated