{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25388", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:02.280Z", "dateUpdated": "2026-04-28T16:14:57.628Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ap-plugin-scripteo", "product": "Ads Pro", "vendor": "scripteo", "versions": [{"changes": [{"at": "5.1", "status": "unaffected"}], "lessThanOrEqual": "5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:06.948Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ads Pro: from n/a through <= 5.0.</p>"}], "value": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.628Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ap-plugin-scripteo/vulnerability/wordpress-ads-pro-plugin-5-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:25:28.385526Z", "id": "CVE-2026-25388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:11:03.377Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25388", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:02.280Z", "dateUpdated": "2026-04-28T13:11:03.377Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ap-plugin-scripteo", "product": "Ads Pro", "vendor": "scripteo", "versions": [{"changes": [{"at": "5.1", "status": "unaffected"}], "lessThanOrEqual": "5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:51.725Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ads Pro: from n/a through <= 5.0.</p>"}], "value": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.723Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ap-plugin-scripteo/vulnerability/wordpress-ads-pro-plugin-5-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:25:28.385526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:24:39.492Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en scripteo Ads Pro ap-plugin-scripteo permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Ads Pro: desde n/a hasta &lt;= 5.0."}], "id": "CVE-2026-25388", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:20.953", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ap-plugin-scripteo/vulnerability/wordpress-ads-pro-plugin-5-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Ads Pro", "source": "cna", "vendor": "scripteo"}, "product": "ads_pro", "vendor": "scripteo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:31:55.551962+00:00", "value": {"mitigation_remediation": ["Update the Ads Pro plugin to a version newer than 5.0 to remove the flaw.", "If an upgrade is not immediately possible, disable or uninstall the plugin until a patched version can be applied.", "Restrict the plugin\u2019s accessed options and endpoints to trusted administrator accounts using WordPress role\u2011based access controls or a web application firewall."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Vendors: scripteo; Product: Ads Pro plugin for WordPress. Versions affected are all releases up to and including 5.0, as identified by the CNA. The issue is present in every deployment that installs an instance of Ads Pro at or below 5.0, regardless of site magnitude or user role configuration.", "description_and_impact": "The Ads Pro WordPress plugin suffers a missing\u2011authorization flaw that allows privileged actions to be performed by users who lack the appropriate security clearance. This broken access control means attackers can execute functions intended only for trusted users, potentially altering ad configurations or accessing sensitive data stored within the plugin. The weakness is a classic example of improper authorization (CWE\u2011862) and could lead to unauthorized changes or data exposure if exercised by a malicious actor.", "risk_and_exploitability": "The CVSS score of 5.4 places this vulnerability in the medium severity range. EPSS indicates a very low exploitation probability (<1%), and the flaw is not yet present in the CISA KEV catalog. While the attack surface is remote\u2014an external actor can send crafted HTTP requests to the WordPress site\u2014the need for correct configuration or user identity indicates that the flaw is most likely exploitable in environments where access controls are poorly enforced or where the plugin is accessible to non\u2011administrator users. This inference about the attack vector is drawn from the description. If exploited, an attacker could gain unauthorized privilege to manipulate ad settings or view data beyond their normal role."}}}}, "created": "2026-02-20T10:08:36.229239+00:00", "updated": "2026-04-16T06:45:16.306267+00:00", "vendors": ["scripteo", "scripteo$PRODUCT$ads_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}