{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69311", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:02.743Z", "datePublished": "2026-01-22T16:52:31.715Z", "dateUpdated": "2026-04-28T20:48:04.512Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "broadstreet", "product": "Broadstreet Ads", "vendor": "Broadstreet", "versions": [{"changes": [{"at": "1.52.2", "status": "unaffected"}], "lessThanOrEqual": "1.52.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:23.881Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Broadstreet Ads: from n/a through <= 1.52.1.</p>"}], "value": "Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.292Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Broadstreet Ads plugin <= 1.52.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:02:58.542568Z", "id": "CVE-2025-69311", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:48:04.512Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:02:58.542568Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:02:54.956Z"}}], "cna": {"title": "WordPress Broadstreet Ads plugin <= 1.52.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Broadstreet", "product": "Broadstreet Ads", "versions": [{"status": "affected", "changes": [{"at": "1.52.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.52.1"}], "packageName": "broadstreet", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:23.881Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Broadstreet Ads: from n/a through <= 1.52.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:12.879Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69311", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:12.879Z", "dateReserved": "2025-12-31T20:12:02.743Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:31.715Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Broadstreet Broadstreet Ads broadstreet permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Broadstreet Ads: desde n/a hasta &lt;= 1.52.1."}], "id": "CVE-2025-69311", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:26.720", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:13:21.025153+00:00", "value": {"mitigation_remediation": ["Upgrade Broadstreet Ads plugin to 1.52.2 or later to apply the vendor\u2019s fix", "Ensure that only users with the Administrator role can access the plugin\u2019s settings pages by checking WordPress capabilities before rendering the interface", "If an upgrade is temporarily unavailable, block or redirect non\u2011administrator users from the plugin\u2019s admin URLs using a role\u2011based access control plugin or firewall rules"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access to plugin configuration and data"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Broadstreet Ads plugin version 1.52.1 or earlier are affected. The vulnerability applies to all installations that include the plugin regardless of the site\u2019s configuration, as the flaw resides in the core plugin code rather than in specific settings.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows users to exploit incorrectly configured access control levels in the Broadstreet Ads WordPress plugin. An attacker who can reach the plugin\u2019s administrative interface may view, modify, or delete advertising settings, potentially leading to data exposure, service disruption, or malicious advertising content. This is a classic broken access control weakness (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 7.6 classifies the flaw as high severity. With an EPSS score under 1\u202f%, the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV database. The likely attack vector is via any authenticated user who can access the plugin\u2019s administration pages; if access control is not correctly enforced, even users with limited roles could exploit the bug. Attackers would need only the ability to reach the plugin\u2019s management URLs, so the threat hinges on the weakness in role checks rather than on complex prerequisites."}}}}, "created": "2026-01-23T16:28:12.414427+00:00", "updated": "2026-04-27T21:15:05.550600+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}