The Ad Inserter – Ad Manager & AdSense Ads plugin for...
Moderate severity
Unreviewed
Published
Jul 3, 2026
to the GitHub Advisory Database
•
Updated Jul 3, 2026
Description
Published by the National Vulnerability Database
Jul 3, 2026
Published to the GitHub Advisory Database
Jul 3, 2026
Last updated
Jul 3, 2026
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
References