CVE-2025-9988: Broadstreet WordPress Auth Bypass Flaw

CVE-2025-9988 Overview

CVE-2025-9988 is a missing authorization vulnerability [CWE-285] in the Broadstreet plugin for WordPress. The flaw resides in the create_advertiser AJAX action, which lacks a capability check. All versions up to and including 1.53.1 are affected. Authenticated users with Subscriber-level access or higher can invoke the action to create advertiser records inside the plugin. The issue does not require user interaction and is exploitable over the network. The vendor addressed the defect in changeset 3524817 published on the WordPress plugin repository.

Critical Impact

Any authenticated WordPress user, including low-privileged Subscriber accounts, can create advertiser entries through an unauthenticated-style AJAX endpoint, undermining the plugin's authorization model.

Affected Products

• Broadstreet plugin for WordPress, versions up to and including 1.53.1
• WordPress sites that allow open user registration with default Subscriber role
• Multi-author WordPress deployments using the Broadstreet ad management plugin

Discovery Timeline

• 2026-05-13 - CVE-2025-9988 published to the National Vulnerability Database
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2025-9988

Vulnerability Analysis

The Broadstreet plugin exposes a create_advertiser action through the WordPress AJAX handler. WordPress registers AJAX endpoints using wp_ajax_{action} hooks, which authenticate the request but do not enforce a specific capability. The plugin's handler executes the advertiser creation logic without verifying whether the calling user possesses an administrative or editor capability. The result is a broken access control condition classified as Missing Authorization [CWE-285]. Any user that can authenticate to WordPress can issue the AJAX request and modify plugin state.

The impact is limited to integrity of the plugin's advertiser data. Confidentiality and availability are not directly affected. However, attacker-created advertiser records can be used to seed downstream abuse, such as injecting attacker-controlled ad content or polluting reporting data tied to the Broadstreet platform.

Root Cause

The root cause is the absence of a current_user_can() capability check inside the create_advertiser AJAX callback. WordPress relies on plugin developers to gate sensitive actions with explicit role or capability validation. The handler also lacks a granular nonce-to-capability binding, so authentication alone is sufficient to reach the privileged code path.

Attack Vector

An attacker registers or logs into a Subscriber account on a vulnerable WordPress site. The attacker then sends an authenticated POST request to /wp-admin/admin-ajax.php with the action parameter set to create_advertiser and supplies the advertiser fields expected by the handler. The server processes the request and persists the new advertiser. No social engineering or victim interaction is required. The attack succeeds against any site where the plugin is active and user registration or low-privileged accounts exist.

No public proof-of-concept exploit code has been published. Readers can review the patch in the WordPress Changeset Update and the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2025-9988

Indicators of Compromise

• Unexpected advertiser records created in the Broadstreet plugin database tables or dashboard
• Authenticated POST requests to /wp-admin/admin-ajax.php with action=create_advertiser from non-administrator user sessions
• Subscriber or Contributor accounts generating AJAX traffic targeting plugin management endpoints

Detection Strategies

• Audit the Broadstreet plugin admin interface for advertiser entries that do not match known campaigns or business records
• Parse WordPress access logs for admin-ajax.php requests where the action parameter equals create_advertiser and correlate the source user role
• Enable WordPress audit logging plugins to record AJAX invocations by user ID and role

Monitoring Recommendations

• Alert on any privileged plugin AJAX action invoked by users below the Editor role
• Track creation rate of advertiser objects and trigger review when volume exceeds business baselines
• Monitor user registrations from anonymizing infrastructure such as VPNs and Tor exit nodes when open registration is enabled

How to Mitigate CVE-2025-9988

Immediate Actions Required

• Update the Broadstreet plugin to the version published in changeset 3524817, which is the first release after 1.53.1
• Review existing advertiser records and remove entries that were not created by authorized staff
• Audit WordPress user accounts and remove unused Subscriber accounts created during the exposure window

Patch Information

The vendor fixed the issue in changeset 3524817 on the WordPress plugin repository. The patch adds a capability check to the create_advertiser AJAX handler so that only users with the appropriate role can create advertisers. Administrators should upgrade through the WordPress plugin updater or by downloading the patched release directly from the WordPress Changeset Update.

Workarounds

• Disable the Broadstreet plugin until the patched version can be deployed
• Disable open user registration under Settings → General → Membership to prevent attackers from self-provisioning Subscriber accounts
• Restrict access to /wp-admin/admin-ajax.php at the web application firewall layer for requests carrying action=create_advertiser from non-administrative sessions

# Web application firewall rule example (ModSecurity)
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1009988,\
    msg:'Block Broadstreet create_advertiser AJAX (CVE-2025-9988)'"
    SecRule ARGS:action "@streq create_advertiser" \
        "chain"
        SecRule REQUEST_HEADERS:Cookie "!@rx wordpress_logged_in_admin"