cleantalk
Vulnerabilities and Security Researches

CM Ad Changer – Ad Manager and Ad Server, CVE-2026-9236

CVE, Research URL

CVE-2026-9236

Home page URL

Security reports for CM Ad Changer – Ad Manager and Ad Server

Application

CM Ad Changer – Ad Manager and Ad Server

Published on
May 27, 2026
Research Description
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.0.8.
Status
vulnerable
Previous vulnerability researches
VikBooking Hotel Booking Engine & PMS (CVE-2025-5803) , Apr 24, 2026
VikBooking Hotel Booking Engine & PMS (CVE-2026-42683) , May 28, 2026
VikBooking Hotel Booking Engine & PMS (CVE-2022-1408) , Jun 07, 2024
VikBooking Hotel Booking Engine & PMS (CVE-2023-24396) , Jun 07, 2024
VikBooking Hotel Booking Engine & PMS (CVE-2023-25707) , Jun 07, 2024
New vulnerability
Dideo (CVE-2026-8847) , May 28, 2026
Splide Carousel Block (CVE-2026-9022) , May 28, 2026
Advanced Custom Fields: Font Awesome Field (CVE-2026-49044) , May 28, 2026
Easy Updates Manager (CVE-2026-7660) , May 28, 2026
Timetable and Event Schedule by MotoPress (CVE-2026-9228) , May 28, 2026