PatchSiren cyber security CVE debrief
CVE-2026-11900 spacetime CVE debrief
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference, allowing authenticated attackers with Contributor-level access and above to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users. This is due to insufficient authorization checks in the replace_ai_tags() function. The vulnerability has a CVSS score of 4.3 and is considered Medium priority.
- Vendor
- spacetime
- Product
- Ad Inserter – Ad Manager & AdSense Ads
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Authenticated attackers with Contributor-level access and above can exploit this vulnerability to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users. Operators of WordPress sites using the Ad Inserter plugin, security teams, and vulnerability management teams should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability exists in the replace_ai_tags() function, which processes a {reusable-block-N} tag pattern and calls get_post_field('post_content', N) without proper authorization checks. This allows authenticated attackers to read arbitrary post content by placing the shortcode in a post they own and previewing it. The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16. The issue arises from insufficient verification of the requesting user's capability, lack of post type restriction to 'wp_block', and absence of post status checks.
Defensive priority
Medium priority due to the CVSS score of 4.3 and the potential for data exposure.
Recommended defensive actions
- Update the Ad Inserter – Ad Manager & AdSense Ads plugin to a version beyond 2.8.16.
- Restrict access to sensitive post content using WordPress access controls.
- Monitor for suspicious activity related to the [adinserter] shortcode.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-03T09:16:36.613Z and was last modified on 2026-07-07T18:16:34.043Z. The NVD entry is currently Deferred. The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. Evidence is based on CVE and NVD records, which may have limited detail. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T09:16:36.613Z and has not been modified since then. The NVD entry is currently Deferred.