PatchSiren cyber security CVE debrief
CVE-2026-1881 broadstreetads CVE debrief
CVE-2026-1881 is an authenticated access-control flaw in the Broadstreet plugin for WordPress. A missing validation check on a user-controlled key in the get_sponsored_meta AJAX action can let Subscriber-level and higher users read private post metadata they should not be able to access. The issue is rated medium severity (CVSS 4.3) and is primarily a confidentiality concern.
- Vendor
- broadstreetads
- Product
- Broadstreet
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
WordPress site operators using the Broadstreet plugin, especially environments that allow Subscriber-level accounts or other low-privilege authenticated users. Security teams should also care if private post metadata is used for editorial workflows, hidden content, or sensitive business data.
Technical summary
The supplied NVD and Wordfence data describe an insecure direct object reference (CWE-639) in the Broadstreet plugin. The vulnerable path is the get_sponsored_meta AJAX action, where a user-controlled key is not adequately validated. Because the action is reachable by authenticated users with Subscriber-level access and above, an attacker in that role can disclose any private post metadata that the action exposes. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
Defensive priority
Medium. The flaw does not indicate integrity or availability impact, but it can expose private metadata to low-privilege authenticated users. Prioritize faster remediation if the site stores sensitive editorial, campaign, or customer information in post meta.
Recommended defensive actions
- Update the Broadstreet plugin to a version newer than 1.52.2; the supplied WordPress plugin reference points to a 1.53.2 changeset.
- Review any use of get_sponsored_meta or similar AJAX handlers for object- and key-level authorization checks.
- Audit private post metadata for sensitive values that should not be exposed to authenticated non-admin users.
- Limit low-privilege WordPress accounts where practical and monitor for unusual metadata access patterns.
- Validate the fix in a staging environment before deploying to production if the plugin supports business-critical workflows.
Evidence notes
The CVE description supplied in the corpus states that all versions up to and including 1.52.2 are vulnerable and that authenticated attackers with Subscriber-level access and above may disclose any private post metadata. NVD cites Wordfence as the source and records CWE-639 with CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The referenced WordPress plugin changeset URL shows a transition from broadstreet/tags/1.52.2 to broadstreet/tags/1.53.2. No KEV entry is provided in the corpus.
Official resources
Published by NVD on 2026-05-21T02:16:32.437Z, with the same timestamp in the supplied modified field. The corpus does not list the issue in CISA KEV.