CVE-2026-9236
Description
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CM Ad Changer plugin <=2.0.7 has CSRF in campaign deletion, allowing unauthenticated attackers to delete campaigns by tricking an admin.
Vulnerability
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.7. The vulnerability exists in the cmac_campaigns_action function, which handles campaign deletion via the delete action in the backend controller [1][2]. The function lacks nonce validation, meaning it does not verify that the request originated from an authenticated administrator session. The affected code path is triggered when a GET request with action=delete and a numeric campaign_id is processed, calling CMAC_Data::cmac_remove_campaign() [2].
Exploitation
An unauthenticated attacker can craft a malicious link or form that, when clicked or submitted by a logged-in site administrator, triggers a forged request to the WordPress admin area. The request must include the action=delete parameter and a valid campaign_id (which can be enumerated or guessed). Because no CSRF token (nonce) is checked, the administrator's browser will execute the deletion as if the administrator intended it. The attacker does not need any prior authentication or special privileges; the only requirement is to trick an administrator into performing an action such as clicking a link.
Impact
Successful exploitation allows an attacker to permanently delete arbitrary advertising campaigns, including all associated banner records and uploaded files. This results in loss of advertising data and potential disruption of the site's banner management functionality. The impact is limited to data deletion; no code execution or privilege escalation is achieved, but the loss of campaign data can be significant for site operators.
Mitigation
The vendor has not released a patched version as of the publication date (2026-05-27). Users should update to a fixed version once available. As a workaround, site administrators can implement additional CSRF protections, such as using a Web Application Firewall (WAF) to block requests to the vulnerable endpoint without a valid nonce, or manually adding nonce checks to the plugin code. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.0.7+ 1 more
- (no CPE)range: <=2.0.7
- (no CPE)range: <=2.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/cm-ad-changer/tags/2.0.7/backend/cm-ad-changer-backend.phpnvd
- plugins.trac.wordpress.org/browser/cm-ad-changer/tags/2.0.7/backend/cm-ad-changer-backend.phpnvd
- plugins.trac.wordpress.org/browser/cm-ad-changer/tags/2.0.7/shared/classes/cmac-data.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a335c917-3fff-4079-bb38-64cd665c5c38nvd
News mentions
0No linked articles in our index yet.