PatchSiren cyber security CVE debrief
CVE-2019-25727 ad-manager-wd CVE debrief
CVE-2019-25727 is a critical vulnerability in WordPress Plugin ad manager wd 1.0.11. The vulnerability allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=export_csv and a malicious path parameter to read arbitrary files like wp-config.php accessible to the web server. The CVSS score for this vulnerability is 9.3, indicating a critical severity.
- Vendor
- ad-manager-wd
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Administrators of WordPress installations using the ad manager wd plugin version 1.0.11 should prioritize patching this vulnerability to prevent potential exploitation.
Technical summary
The vulnerability exists in the WordPress Plugin ad manager wd version 1.0.11. It allows unauthenticated attackers to download arbitrary files by manipulating the path parameter in a GET request to the edit.php endpoint with export=export_csv.
Defensive priority
High
Recommended defensive actions
- Patch the vulnerability by updating the ad manager wd plugin to a version that is not vulnerable.
- Restrict access to the edit.php endpoint to only authenticated users.
- Monitor for suspicious activity on the WordPress installation.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide information on the vulnerability. Additional references include [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2019-25727 was published on 2019-03-12 and modified on 2019-03-12.