Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45210

CVE-2026-45210: Broadstreet Ads Auth Bypass Vulnerability

CVE-2026-45210 is an authorization bypass flaw in Broadstreet Ads plugin affecting versions up to 1.52.2 that allows attackers to exploit misconfigured access controls. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-45210 Overview

CVE-2026-45210 is a Missing Authorization vulnerability [CWE-862] affecting the Broadstreet Ads WordPress plugin. The flaw exists in all versions up to and including 1.52.2. Authenticated attackers with low-level privileges can abuse incorrectly configured access control checks to perform actions reserved for higher-privileged roles. The vulnerability is exploitable over the network and requires no user interaction.

Critical Impact

Low-privileged authenticated users can bypass access control checks on the Broadstreet Ads plugin to manipulate plugin functionality, impacting site integrity and availability.

Affected Products

  • Broadstreet Ads WordPress plugin (broadstreet) versions through 1.52.2
  • WordPress sites running the vulnerable plugin with low-privileged user accounts enabled
  • Any deployment that has not applied the vendor-supplied fix beyond 1.52.2

Discovery Timeline

  • 2026-05-12 - CVE-2026-45210 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-45210

Vulnerability Analysis

The Broadstreet Ads plugin exposes one or more plugin actions without enforcing proper capability or role checks. WordPress plugins typically use functions such as current_user_can() to gate sensitive operations behind administrator-level privileges. When these checks are missing or incorrectly scoped, authenticated users with low privileges, such as Subscriber or Contributor, can invoke restricted functionality.

The vulnerability falls under [CWE-862] Missing Authorization. Exploitation does not require complex conditions. An attacker authenticated to the WordPress site can send crafted requests to plugin endpoints and trigger actions intended for administrators. The impact includes limited integrity and availability loss on the affected plugin context.

Root Cause

The root cause is the absence of an authorization check before privileged plugin actions execute. The plugin code path validates the request format but does not verify that the calling user holds the required WordPress capability. This is a common error pattern in WordPress plugins where AJAX or REST handlers rely on nonce verification without capability validation.

Attack Vector

The attack vector is network-based and requires an authenticated session with low privileges. An attacker logs into the target WordPress site with any account that has at least Subscriber-level access. The attacker then issues HTTP requests to the vulnerable plugin endpoints. Because the plugin does not validate role membership, the requests succeed and execute privileged operations. No social engineering or user interaction is required.

A technical description is available in the Patchstack WordPress Vulnerability database.

Detection Methods for CVE-2026-45210

Indicators of Compromise

  • Unexpected POST or AJAX requests to wp-admin/admin-ajax.php referencing Broadstreet plugin actions from non-administrative user sessions
  • Modifications to ad configurations, zones, or plugin settings without a corresponding administrator login
  • Web server access logs showing repeated plugin endpoint requests from low-privilege accounts

Detection Strategies

  • Audit WordPress activity logs for low-privilege users invoking Broadstreet plugin actions normally reserved for administrators
  • Compare plugin configuration state against a known baseline to identify unauthorized changes
  • Inspect HTTP request bodies and parameters submitted to plugin AJAX or REST endpoints for anomalous role-action mismatches

Monitoring Recommendations

  • Enable verbose logging for WordPress AJAX and REST API endpoints associated with the Broadstreet plugin
  • Forward web server and WordPress audit logs to a centralized SIEM for correlation and retention
  • Alert on creation of new low-privilege accounts followed shortly by plugin endpoint activity

How to Mitigate CVE-2026-45210

Immediate Actions Required

  • Update the Broadstreet Ads plugin to a version newer than 1.52.2 as soon as the vendor releases a patched build
  • Audit existing WordPress user accounts and remove unused or untrusted low-privilege accounts
  • Review recent plugin configuration changes for unauthorized modifications

Patch Information

Refer to the Patchstack advisory for the latest patched version information. The advisory tracks versions through 1.52.2 as vulnerable. Apply the vendor-supplied update through the WordPress plugin manager or by deploying the fixed plugin package directly.

Workarounds

  • Restrict new user registration on the WordPress site until the patch is deployed
  • Apply a Web Application Firewall (WAF) rule to block requests to vulnerable Broadstreet plugin endpoints from non-administrative sessions
  • Temporarily deactivate the Broadstreet Ads plugin if it is not business-critical until an updated version is installed
bash
# Configuration example: disable the plugin via WP-CLI until patched
wp plugin deactivate broadstreet
wp plugin status broadstreet

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.