CVE-2025-13592

Advanced Ads <= 2.0.14 - Authenticated (Editor+) Remote Code Execution via Shortcode

highImproper Control of Generation of Code ('Code Injection')

7.2

CVSS Score

7.2

CVSS Score

high

Severity

2.0.15

Patched in

Time to patch

Description

The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=2.0.14

PublishedDecember 29, 2025

Last updatedDecember 29, 2025

Affected pluginadvanced-ads

Source Code

WordPress.org SVN

Vulnerable v2.0.14

Browse source Download .zip

Patched v2.0.15

Browse source Download .zip

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database