{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39698", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:16.464Z", "datePublished": "2026-04-08T08:30:46.345Z", "dateUpdated": "2026-04-08T14:11:42.227Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-publisher-desk-ads-txt", "product": "The Publisher Desk ads.txt", "vendor": "PublisherDesk", "versions": [{"lessThanOrEqual": "1.5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:46.249Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0.</p>"}], "value": "Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:46.345Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-publisher-desk-ads-txt/vulnerability/wordpress-the-publisher-desk-ads-txt-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The Publisher Desk ads.txt plugin <= 1.5.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:11:38.886878Z", "id": "CVE-2026-39698", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:11:42.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39698", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:11:38.886878Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:07:49.984Z"}}], "cna": {"title": "WordPress The Publisher Desk ads.txt plugin <= 1.5.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "PublisherDesk", "product": "The Publisher Desk ads.txt", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.0"}], "packageName": "the-publisher-desk-ads-txt", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:46.249Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/the-publisher-desk-ads-txt/vulnerability/wordpress-the-publisher-desk-ads-txt-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:46.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39698", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:11:42.227Z", "dateReserved": "2026-04-07T10:58:16.464Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:46.345Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt the-publisher-desk-ads-txt allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Publisher Desk ads.txt: from n/a through <= 1.5.0."}], "id": "CVE-2026-39698", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:42.307", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/the-publisher-desk-ads-txt/vulnerability/wordpress-the-publisher-desk-ads-txt-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "The Publisher Desk ads.txt", "source": "cna", "vendor": "PublisherDesk"}, "product": "the_publisher_desk_ads.txt", "vendor": "publisherdesk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T15:52:06.123217+00:00", "value": {"mitigation_remediation": ["Update the PublisherDesk The Publisher Desk ads.txt plugin to a patched version (1.5.1 or later).", "If an update is unavailable, temporarily disable the plugin until a patch is released.", "Verify that no remote unauthorized access to plugin endpoints is possible by testing with a non\u2011privileged user.", "Apply general WordPress hardening measures, ensuring that only trusted administrators have access to plugin management."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress installations that include the PublisherDesk The Publisher Desk ads.txt plugin, specifically any version up to and including 1.5.0.", "description_and_impact": "A missing authorization flaw in the PublisherDesk The Publisher Desk ads.txt WordPress plugin permits attackers to exploit incorrectly configured access control mechanisms. This weakness empowers unauthorized users to read or potentially modify the plugin\u2019s ads.txt configuration, allowing the injection of false or malicious ad entries that can redirect revenue, reveal internal data, or facilitate further exploitation of the site. The root cause aligns with CWE-862, a broken access control vulnerability.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity, while an EPSS score of less than 1% signals a low probability of exploitation in the wild. The vulnerability is not currently catalogued in CISA\u2019s KEV inventory, reducing awareness among security teams. Based on the description, the likely attack vector is remote via unauthenticated HTTP requests to the plugin\u2019s exposed endpoints. Exploitation would require an attacker to identify a site running a vulnerable version of the plugin and send crafted requests that bypass normal authorization checks."}}}}, "created": "2026-04-08T19:27:36.873257+00:00", "updated": "2026-04-08T19:40:21.513361+00:00", "vendors": ["publisherdesk", "publisherdesk$PRODUCT$the_publisher_desk_ads.txt", "wordpress", "wordpress$PRODUCT$wordpress"]}