CVE-2025-9988: Unauthorized Access in Broadstreet WordPress Plugin

The primary impact of CVE-2025-9988 is the potential for unauthorized content publication. An attacker, already logged in with a Subscriber role (or higher), can leverage this vulnerability to create new advertisers within the Broadstreet plugin. This could lead to the injection of malicious advertisements, spam content, or other unauthorized material onto the website. While the attacker needs to be authenticated, the relatively low access requirements (Subscriber role) significantly broaden the potential attack surface. The blast radius is limited to the website using the vulnerable Broadstreet plugin, but the consequences can be substantial if the injected content damages the site's reputation or compromises user data.

1. Reserved2025-09-04
2. Veröffentlicht2026-05-13

The recommended mitigation for CVE-2025-9988 is to immediately upgrade the Broadstreet plugin to version 1.53.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the createadvertiser AJAX endpoint using a WordPress firewall (WAF) or security plugin. Specifically, configure the WAF to block requests to /wp-admin/admin-ajax.php?action=createadvertiser from users with the Subscriber role. Regularly review user roles and permissions to ensure that only authorized personnel have access to administrative functions. After upgrading, confirm the fix by attempting to create an advertiser with a Subscriber-level user account; the action should be denied.