– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-12884:
This vulnerability is an authorization bypass in the Advanced Ads WordPress plugin, affecting versions up to and including 2.0.14. The flaw allows authenticated users with subscriber-level permissions or higher to modify ad placements, which are intended to be managed only by users with the ‘advanced_ads_manage_placements’ capability. The CVSS score of 4.3 reflects a medium severity impact on integrity.

The root cause is the missing capability check in the `placement_update_item()` function within the `/advanced-ads/includes/admin/class-ajax.php` file. Prior to the patch, the function began directly processing the `placement_id` and `item_id` parameters from the POST request. The function did not verify the user’s authorization before executing the placement update logic.

Exploitation requires an authenticated attacker with any valid WordPress user account, including the default subscriber role. The attacker sends a POST request to the `/wp-admin/admin-ajax.php` endpoint with the `action` parameter set to `advads_placement_update_item`. The request must include the `placement_id` (an integer) and `item_id` (a string identifying an ad or group) parameters. No nonce check was present, so a valid nonce is not required for the request.

The patch adds an authorization check and a nonce verification at the start of the `placement_update_item()` function. The patch inserts a call to `check_ajax_referer()` to validate the `nonce` parameter against the ‘advanced-ads-admin-ajax-nonce’ action. It then calls `Conditional::user_can(‘advanced_ads_manage_placements’)`. If either check fails, the function sends a JSON error with a 403 status code and terminates. This ensures only authorized users can proceed to the placement update logic.

Successful exploitation allows an attacker to alter which advertisement or ad group is served by a specific placement on the website. This could disrupt advertising revenue, display malicious or unintended content, or degrade site functionality. The impact is limited to the modification of existing ad placements and does not grant direct administrative access or code execution.