PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9236 creativemindssolutions CVE debrief

A Cross-Site Request Forgery (CSRF) vulnerability in the CM Ad Changer WordPress plugin allows unauthenticated attackers to permanently delete arbitrary advertising campaigns, including associated banner records and uploaded files, by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on the `cmac_campaigns_action` function. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector, low attack complexity, no required privileges, required user interaction, and unchanged scope with low integrity impact and no confidentiality or availability impact. The vulnerability affects all versions up to and including 2.0.7. The Wordfence advisory and plugin repository changeset indicate a fix has been committed.

Vendor
creativemindssolutions
Product
CM Ad Changer – A simple tool to control and optimize your site's banners
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using CM Ad Changer plugin versions 2.0.7 or earlier; security teams managing WordPress installations; digital marketing operations dependent on advertising campaign continuity

Technical summary

The CM Ad Changer plugin for WordPress fails to implement proper nonce validation on the `cmac_campaigns_action` administrative function. This CSRF weakness permits unauthenticated remote attackers to forge HTTP requests that execute with the privileges of an authenticated administrator session. Successful exploitation results in permanent deletion of advertising campaigns, including associated database records and uploaded banner files. The attack requires social engineering to induce an administrator to visit a malicious URL while authenticated to the WordPress admin panel. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery).

Defensive priority

medium

Recommended defensive actions

  • Update CM Ad Changer plugin to version 2.0.8 or later if available
  • Verify plugin version and apply pending updates through WordPress admin dashboard
  • Review WordPress admin logs for unexpected campaign deletion activity around 2026-05-27 and prior
  • Implement additional CSRF protections at the web application firewall level for WordPress administrative functions
  • Educate site administrators about phishing risks and verify unexpected links before clicking
  • Consider implementing Content Security Policy headers to mitigate impact of successful CSRF attacks
  • Review and backup advertising campaign configurations regularly to enable recovery from unauthorized deletion

Evidence notes

The vulnerability was reported by Wordfence and published in the NVD on 2026-05-27. Source code analysis of version 2.0.7 confirms the affected function lacks proper nonce validation. A changeset in the WordPress plugin repository indicates remediation activity. The CVSS vector confirms user interaction is required, limiting exploitability to social engineering scenarios.

Official resources

2026-05-27