CVE-2026-40782

Vulnerability

The WPAdverts plugin for WordPress versions 2.3.0 and earlier are affected by an unauthenticated broken access control vulnerability [1]. This missing authorization or nonce token check in a function enables an unprivileged user to execute actions that should require higher privileges, without any authentication.

Exploitation

An unauthenticated attacker can exploit the vulnerability remotely by sending crafted HTTP requests to the affected endpoints. No prior access or user interaction is required, making it straightforward to target multiple sites in automated mass-exploit campaigns [1].

Impact

Successful exploitation allows an attacker to perform privileged actions, such as modifying or deleting adverts, altering plugin settings, or accessing restricted data, potentially leading to data disclosure and site manipulation. The vulnerability has been rated with a CVSS v3 score of 6.5 (Medium) and is expected to become actively exploited [1].

Mitigation

The vulnerability is fixed in WPAdverts version 2.3.1 and later. Users are strongly advised to update immediately. If updating is not possible, applying a virtual patch or mitigation rule (e.g., via Patchstack) can provide temporary protection [1].