CVE-2026-11900
MediumCVSS 4.3Summary
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress up to version 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'data' attribute of the [adinserter] shortcode. The replace_ai_tags() function processes a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying user capabilities with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This allows authenticated attackers with Contributor-level access and above to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
Risk Assessment
The organization is at risk of leaking confidential content such as private pages, project drafts, or password-protected posts, potentially leading to disclosure of sensitive business information or violation of user privacy.
Recommendation
Immediately update the Ad Inserter plugin to the latest available version that fixes this vulnerability. Until the update is applied, temporarily disable the plugin or restrict access to the [adinserter] shortcode to trusted users only.
Original NVD description (English source)
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

