cleantalk
Vulnerabilities and Security Researches

CM Ad Changer – Ad Manager and Ad Server, CVE-2026-9236

CVE, Research URL

CVE-2026-9236

Home page URL

Security reports for CM Ad Changer – Ad Manager and Ad Server

Application

CM Ad Changer – Ad Manager and Ad Server

Published on
May 27, 2026
Research Description
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.0.8.
Status
vulnerable
Previous vulnerability researches
Auto Thumbnails (CVE-2026-8899) , May 28, 2026
New vulnerability
Meta Field Block (CVE-2026-3173) , May 28, 2026
Dideo (CVE-2026-8847) , May 28, 2026
Splide Carousel Block (CVE-2026-9022) , May 28, 2026
Advanced Custom Fields: Font Awesome Field (CVE-2026-49044) , May 28, 2026
Easy Updates Manager (CVE-2026-7660) , May 28, 2026