Pending AnalysisCVE-2025-9988

CVE-2025-9988: Unauthorized Access in Broadstreet WordPress Plugin

Platform

wordpress

Component

broadstreet

Fixed in

1.53.2

View on NVD

Save

CVE-2025-9988 is a medium-severity vulnerability affecting the Broadstreet WordPress plugin. It allows authenticated users with Subscriber-level access or higher to create advertisers without proper authorization, potentially leading to malicious content or advertising. This vulnerability impacts versions 0.0 through 1.53.1 and has been resolved in version 1.53.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-9988 is the ability for unauthorized users to create advertisers within the Broadstreet plugin. An attacker, already logged in with a Subscriber account (a common WordPress user role), can leverage this vulnerability to inject malicious advertisements or content. This could be used for phishing attacks, spreading malware, or defacing the website. The blast radius is limited to the website using the Broadstreet plugin and the potential impact on its users and visitors. While not a direct system compromise, the ability to inject malicious advertisements can have significant reputational and financial consequences for the website owner.

Exploitation Context

CVE-2025-9988 is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Public proof-of-concept (POC) code is not widely available, but the vulnerability's simplicity makes it likely that exploits could be developed. The vulnerability was published on 2026-05-13, so monitoring for exploitation attempts is advised. The vulnerability's reliance on authenticated access limits its exploitability compared to vulnerabilities that do not require authentication.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentbroadstreet

Vendorwordfence

Minimum version0

Maximum version1.53.1

Fixed in1.53.2

Weakness Classification (CWE)

CWE-285

Timeline

Reserved2025-09-04
Published2026-05-13

Mitigation and Workarounds

The recommended mitigation for CVE-2025-9988 is to immediately upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting advertiser creation privileges to administrators only through WordPress user role management. While not a complete fix, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it relies on user authentication and plugin functionality. After upgrading, verify the fix by logging in as a Subscriber user and attempting to create an advertiser; the action should be denied.

How to fix

Update to version 1.53.2, or a newer patched version

Frequently asked questions

What is CVE-2025-9988 — Unauthorized Access in Broadstreet WordPress Plugin?

CVE-2025-9988 is a medium-severity vulnerability in the Broadstreet WordPress plugin allowing authenticated subscribers to create advertisers without proper authorization, potentially leading to malicious content.

Am I affected by CVE-2025-9988 in Broadstreet WordPress Plugin?

You are affected if you are using the Broadstreet WordPress plugin in versions 0.0 through 1.53.1. Upgrade to 1.53.2 or later to mitigate the risk.

How do I fix CVE-2025-9988 in Broadstreet WordPress Plugin?

Upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. If immediate upgrade is not possible, restrict advertiser creation privileges to administrators only.

Is CVE-2025-9988 being actively exploited?

While there is no widespread evidence of active exploitation, the vulnerability's simplicity suggests it could be targeted. Monitoring for exploitation attempts is recommended.

Where can I find the official Broadstreet advisory for CVE-2025-9988?

Refer to the official Broadstreet plugin documentation and WordPress plugin repository for the latest advisory and update information: [https://wordpress.org/plugins/broadstreet/](https://wordpress.org/plugins/broadstreet/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

livefree scan

Scan your WordPress project now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files