CVE-2026-1881 Overview
CVE-2026-1881 is an Insecure Direct Object Reference (IDOR) vulnerability in the Broadstreet plugin for WordPress. The flaw affects all versions up to and including 1.52.2. The vulnerability resides in the get_sponsored_meta AJAX action, which fails to validate a user-controlled key. Authenticated attackers with Subscriber-level access or higher can disclose private post metadata from the WordPress installation. The issue is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated users with minimal privileges can read arbitrary private post metadata, exposing confidential information stored alongside WordPress posts.
Affected Products
- Broadstreet plugin for WordPress versions up to and including 1.52.2
- Fixed in Broadstreet version 1.53.2
- WordPress sites with Subscriber-level or higher user registration enabled
Discovery Timeline
- 2026-05-21 - CVE CVE-2026-1881 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-1881
Vulnerability Analysis
The Broadstreet plugin exposes an AJAX endpoint named get_sponsored_meta. This endpoint accepts a key parameter supplied by the requesting user. The handler retrieves post metadata based on that key without confirming the requester has permission to view the underlying object. As a result, an authenticated attacker can supply identifiers belonging to private posts and receive their metadata in the response. The CWE-639 classification reflects this authorization bypass through a user-controlled key.
Root Cause
The root cause is missing object-level authorization. The get_sponsored_meta AJAX action trusts the key supplied by the client and queries WordPress metadata without verifying that the calling user has read access to the referenced post. Subscriber accounts pass the authentication check but should not be able to read private content created by editors or administrators.
Attack Vector
Exploitation requires an authenticated session with at least Subscriber privileges. WordPress sites that allow open user registration are reachable by any network attacker. The attacker sends crafted requests to the WordPress admin-ajax.php endpoint specifying the get_sponsored_meta action and an arbitrary post identifier. The server returns the associated metadata regardless of the post's visibility setting. No user interaction is required from the legitimate owner of the data.
No public proof-of-concept code is referenced in the advisory. Technical details are available in the Wordfence Vulnerability Report and the WordPress Plugin Change Log.
Detection Methods for CVE-2026-1881
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=get_sponsored_meta from low-privileged user sessions
- Repeated AJAX requests iterating sequential post IDs or metadata keys from a single authenticated user
- Anomalous data egress volumes tied to Subscriber-level accounts
Detection Strategies
- Inspect WordPress access logs for the get_sponsored_meta action correlated with non-administrative user cookies
- Alert on Subscriber accounts generating high request rates against admin-ajax.php
- Review newly registered accounts that immediately interact with Broadstreet AJAX endpoints
Monitoring Recommendations
- Enable verbose request logging on admin-ajax.php and forward to a centralized SIEM
- Track plugin version inventory across WordPress fleets to confirm Broadstreet is patched
- Monitor for unexpected metadata read patterns against private posts
How to Mitigate CVE-2026-1881
Immediate Actions Required
- Upgrade the Broadstreet plugin to version 1.53.2 or later on every WordPress site
- Audit Subscriber-level and newly registered accounts for suspicious activity since the plugin was installed
- Restrict open user registration where it is not required for business operations
Patch Information
The vendor addressed the issue in Broadstreet 1.53.2. The fix adds validation on the user-supplied key in the get_sponsored_meta AJAX handler. The code differences are visible in the WordPress Plugin Change Log.
Workarounds
- Disable the Broadstreet plugin until the patched version can be deployed
- Block requests to admin-ajax.php with action=get_sponsored_meta at the web application firewall for low-privileged sessions
- Temporarily disable new user registration through WordPress general settings
# Update Broadstreet plugin via WP-CLI
wp plugin update broadstreet --version=1.53.2
wp plugin list --name=broadstreet --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
