CVE-2025-30855
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30855 is a missing authorization vulnerability, classified under CWE-862, in the WordPress plugin Ads by WPQuads (quick-adsense-reloaded). This issue affects all versions of the plugin from n/a through 2.0.87.1 and stems from exploiting incorrectly configured access control security levels. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its potential for unauthorized data modification.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no requirement for user interaction. Exploitation enables high integrity impact, allowing attackers to bypass authorization checks and perform actions they should not be permitted to, such as altering plugin configurations or ad placements.
The Patchstack advisory provides further details on this broken access control vulnerability in the Ads by WPQuads plugin version 2.0.87.1 and recommends mitigation steps, available at https://patchstack.com/database/Wordpress/Plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-2-0-87-1-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization (CWE-862) vulnerability in the public-facing WordPress plugin allows unauthenticated remote attackers to bypass access controls and modify configurations, directly enabling T1190 (Exploit Public-Facing Application).