Medium severity4.3NVD Advisory· Published May 21, 2026· Updated May 21, 2026
CVE-2026-1881
CVE-2026-1881
Description
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
Affected products
2<=1.52.2+ 1 more
- (no CPE)range: <=1.52.2
- (no CPE)range: <=1.52.2
Patches
Vulnerability mechanics
References
2News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 18, 2026 to May 24, 2026)Wordfence Blog · May 28, 2026