CVE-2026-39698

The Publisher Desk ads.txt WordPress plugin, in versions up to and including 1.5.0, suffers from a missing authorization vulnerability. The plugin fails to properly verify access rights when handling certain requests, leaving critical functions exposed to unauthenticated users. This issue stems from incorrectly configured access control security levels, which can be exploited by attackers without any prior authentication [1].

Exploitation requires no special prerequisites; an attacker only needs to send crafted HTTP requests to the affected WordPress site. The missing authorization check means that any user, including those with no account, can invoke actions that should be restricted to higher-privileged roles. Such vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

A successful exploit could allow an attacker to manipulate the ads.txt file or other sensitive plugin settings, potentially leading to unauthorized redirection of ad revenue or injection of malicious content. The exact impact depends on the specific function that lacks authorization, but the broken access control undermines the security of the entire site [1].

The vendor has released a fix beyond version 1.5.0. Users are strongly advised to update the plugin immediately. If updating is not possible, site owners should contact their hosting provider or a web developer for assistance. This vulnerability has a CVSS score of 5.3 (Medium) and is being actively targeted in automated attacks [1].