cleantalk
Vulnerabilities and Security Researches

Broadstreet, CVE-2026-1881

CVE, Research URL

CVE-2026-1881

Home page URL

Security reports for Broadstreet

Application

Broadstreet

Published on
May 21, 2026
Research Description
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
Affected versions
max 1.53.2.
Status
vulnerable
Previous vulnerability researches
Ultimate Classified Listings (CVE-2024-52487) , Nov 23, 2024
Ultimate Classified Listings (CVE-2024-52448) , Nov 22, 2024
Ultimate Classified Listings (CVE-2024-13753) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-13748) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-5882) , Jul 17, 2024
New vulnerability
Salon booking system (CVE-2026-42666) , May 23, 2026
Error Log Monitor, Activity Logs, User Activity Tracking from Logtivity (CVE-2026-42673) , May 23, 2026
Word 2 Cash (CVE-2026-6395) , May 23, 2026
Faces of Users (CVE-2026-8038) , May 23, 2026
LJ comments import: reloaded (CVE-2026-8624) , May 23, 2026