CVE-2025-13592

7.2 HIGH

Published: December 29, 2025 Modified: December 31, 2025

Description

The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.14/includes/ads/class-ad-plain.php#L36

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3427297/advanced-ads#file9

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8?source=cve

Source: security@wordfence.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.2 / 10.0

EPSS (Exploit Probability)

0.3%

52th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-94

Related CVEs

CVE-2026-4680 8.8

CVE-2026-4679 N/A

CVE-2026-4678 N/A

CVE-2026-4677 N/A

CVE-2026-4676 N/A