Platform
wordpress
Component
advanced-ads
Fixed in
2.0.15
CVE-2025-13592 is a Remote Code Execution (RCE) vulnerability affecting the Advanced Ads – Ad Manager & AdSense plugin for WordPress. This vulnerability allows authenticated attackers with editor-level permissions or higher to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 2.0.14, and a patch is available in version 2.0.15.
Successful exploitation of CVE-2025-13592 allows an attacker to gain complete control over the WordPress server. This could lead to data breaches, website defacement, malware installation, and further compromise of the underlying system. The attacker needs editor-level permissions, which are commonly granted to content creators and administrators. Given the widespread use of WordPress and the Advanced Ads plugin, this vulnerability has a potentially large attack surface. The ability to execute arbitrary code represents a critical security risk, enabling attackers to bypass standard security controls and escalate their privileges.
CVE-2025-13592 was publicly disclosed on December 29, 2025. The vulnerability's ease of exploitation, coupled with the popularity of the Advanced Ads plugin, suggests a potential for active exploitation. No public proof-of-concept (PoC) code has been observed as of the disclosure date, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13592 is to immediately upgrade the Advanced Ads plugin to version 2.0.15 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the 'change-ad__content' shortcode parameter to trusted users only. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block suspicious requests targeting the shortcode parameter may also provide some protection. After upgrading, verify the plugin's functionality and confirm that the vulnerability is no longer exploitable by attempting to access the affected shortcode with various inputs.
Update to version 2.0.15, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13592 is a Remote Code Execution vulnerability in the Advanced Ads WordPress plugin, allowing attackers with editor permissions to execute code on the server.
You are affected if you are using Advanced Ads plugin versions 0.0.0 through 2.0.14 on your WordPress site.
Upgrade the Advanced Ads plugin to version 2.0.15 or later to resolve the vulnerability. Consider restricting access to the vulnerable shortcode parameter as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and monitoring is recommended.
Refer to the official Advanced Ads plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.