CVE-2025-27296
Published: 24 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27296 is a missing authorization vulnerability (CWE-862) in the WordPress plugin Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue, with the slug revenueflex-easy-ads. The flaw allows exploiting incorrectly configured access control security levels and affects all versions from n/a through 1.5. Published on 2025-02-24, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires high privileges (PR:H), such as administrator-level access on a vulnerable WordPress site. An attacker with such privileges can trigger the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), enabling unauthorized actions like settings changes within the plugin.
The Patchstack advisory documents this as a settings change vulnerability specifically in plugin version 1.5. Mitigation details are available in the referenced advisory, which covers patching and remediation for the affected WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a missing authorization vulnerability in a public-facing WordPress plugin allowing network-based exploitation with high privileges to perform unauthorized settings changes, directly enabling exploitation of public-facing applications.