{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24603", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:17.046Z", "datePublished": "2026-01-23T14:29:03.593Z", "dateUpdated": "2026-04-28T16:14:50.344Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "universal-google-adsense-and-ads-manager", "product": "Universal Google Adsense and Ads manager", "vendor": "themebeez", "versions": [{"lessThanOrEqual": "1.1.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:50.560Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8.</p>"}], "value": "Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.344Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Universal Google Adsense and Ads manager plugin <= 1.1.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:29:04.874475Z", "id": "CVE-2026-24603", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:37:58.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24603", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:29:04.874475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:28:54.736Z"}}], "cna": {"title": "WordPress Universal Google Adsense and Ads manager plugin <= 1.1.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "themebeez", "product": "Universal Google Adsense and Ads manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.8"}], "packageName": "universal-google-adsense-and-ads-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:50.560Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24603", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:50.344Z", "dateReserved": "2026-01-23T12:32:17.046Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:03.593Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Universal Google Adsense and Ads manager: desde n/a hasta &lt;= 1.1.8."}], "id": "CVE-2026-24603", "lastModified": "2026-04-28T15:16:18.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:18.943", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:33:50.804145+00:00", "value": {"mitigation_remediation": ["Update the Universal Google Adsense and Ads manager plugin to the latest version that addresses the authorization issue", "If an update is not immediately available, disable the plugin from the WordPress admin panel or remove it entirely from the site to prevent unauthenticated use", "Restrict access to the plugin\u2019s administrative pages by adding explicit role checks so that only Administrators can perform modification tasks", "Monitor WordPress logs for unexpected administrative activity to detect any exploitation attempts"], "summary": {"action": "Patch Immediately", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress plugin Universal Google Adsense and Ads manager by themebeez, specifically all versions from the earliest release through version 1.1.8. No other versions or products were identified as affected.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows users to exploit incorrectly configured access control security levels within the Universal Google Adsense and Ads manager plugin. This flaw means that attackers can perform actions that should be restricted to privileged users, such as adding, editing, or deleting advertisement configurations and other administrative functions. The impact is the unauthorized alteration of advertising settings, which can lead to defacement, monetization theft, or other changes within the site without proper authentication or authorization.", "risk_and_exploitability": "With a CVSS score of 5.3 the flaw represents moderate severity, while an EPSS score of less than 1% indicates a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an unauthenticated or low\u2011privileged user interacting with the plugin\u2019s administrative endpoints, taking advantage of the missing permission checks to execute privileged operations."}}}}, "created": "2026-01-26T11:52:41.161736+00:00", "updated": "2026-04-16T01:45:20.649537+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}