{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12884", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T17:16:20.954Z", "datePublished": "2026-02-19T03:25:17.396Z", "dateUpdated": "2026-04-08T17:12:29.698Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:29.698Z"}, "affected": [{"vendor": "monetizemore", "product": "Advanced Ads \u2013\u00a0Ad Manager & AdSense", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013 Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves."}], "title": "Advanced Ads \u2013 Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ad32fb-929e-4181-8789-df50a77a71ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-ajax.php#L886-L932"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427297"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2025-11-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-18T15:11:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:04:23.140104Z", "id": "CVE-2025-12884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:41:30.633Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:04:23.140104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:04:24.904Z"}}], "cna": {"title": "Advanced Ads \u2013 Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "monetizemore", "product": "Advanced Ads \u2013\u00a0Ad Manager & AdSense", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-01T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-18T15:11:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ad32fb-929e-4181-8789-df50a77a71ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-ajax.php#L886-L932"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427297"}], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013 Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:29.698Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12884", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:29.698Z", "dateReserved": "2025-11-07T17:16:20.954Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T03:25:17.396Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013 Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves."}, {"lang": "es", "value": "El plugin Advanced Ads \u2013 Ad Manager &amp; AdSense para WordPress es vulnerable a una omisi\u00f3n de autorizaci\u00f3n en versiones hasta la 2.0.14, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario est\u00e1 autorizado para realizar una acci\u00f3n en la funci\u00f3n 'placement_update_item()'. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen las ubicaciones de anuncios, lo que les permite cambiar qu\u00e9 anuncio o grupo de anuncios sirve una ubicaci\u00f3n."}], "id": "CVE-2025-12884", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:29.290", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-ajax.php#L886-L932"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3427297"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ad32fb-929e-4181-8789-df50a77a71ef?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Advanced Ads \u2013\u00a0Ad Manager & AdSense", "source": "cna", "vendor": "monetizemore"}, "product": "advanced_ads_\u2013\u00a0ad_manager_&_adsense", "vendor": "monetizemore"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T00:13:03.000469+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version 2.0.15 or later to remove the authorization check bug", "Revoke ad placement editing permissions from subscriber-level roles, allowing only administrators to edit placements", "Audit existing ad placements to ensure no unauthorized changes have been made and restore legitimate ad configurations if needed"], "summary": {"action": "Update Plugin", "impact": "Unauthorized Ad Placement Modification"}, "threat_synthesis": {"affected_systems": "All installations of the monetizemore Advanced Ads \u2013 Ad Manager & AdSense WordPress plugin up to and including version 2.0.14 are affected. The issue resides within the plugin\u2019s core admin code and is relevant only to sites that have deployed these plugins on a WordPress installation.", "description_and_impact": "The Advanced Ads \u2013 Ad Manager & AdSense plugin is vulnerable to an authorization bypass that occurs in the placement_update_item() function. The plugin does not correctly verify that the acting user has the proper capability before allowing changes to an ad placement. This flaw lets any authenticated user who has subscriber-level access or higher in WordPress change the ad or ad group that a placement serves, thereby giving an attacker direct control over how ads are displayed on the site. The weakness is a form of CWE\u2011284, an authorization bypass that can lead to unauthorized modification of site content and potential revenue loss.", "risk_and_exploitability": "The CVSS score of 4.3 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates it is unlikely to be widely exploited at present. It was not listed in the CISA KEV catalog, suggesting no known large\u2011scale exploitation. The attack vector requires an authenticated user with subscriber-level or higher privileges; thus, any user who can log into the WordPress admin area could potentially abuse the flaw if no stricter role restrictions are in place. While the impact is limited to ad placement modification, it can compromise the site's advertising revenue, brand presentation, or provide a platform for malicious advertising."}}}}, "created": "2026-02-19T10:07:35.499554+00:00", "updated": "2026-04-21T00:15:16.133342+00:00", "vendors": ["monetizemore", "monetizemore$PRODUCT$advanced_ads_\u2013\u00a0ad_manager_&_adsense", "wordpress", "wordpress$PRODUCT$wordpress"]}