creativemindssolutions CVE debriefs

CVE-2026-9236

A Cross-Site Request Forgery (CSRF) vulnerability in the CM Ad Changer WordPress plugin allows unauthenticated attackers to permanently delete arbitrary advertising campaigns, including associated banner records and uploaded files, by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on the `cmac_campaigns_action` function. The [truncated]