CVE-2026-39698
Missing Authorization in The Publisher Desk ads.txt
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | the_publisher_desk_ads_txt | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39698 is a broken access control vulnerability in the WordPress plugin "The Publisher Desk ads.txt" affecting versions up to and including 1.5.0.
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform privileged actions within the affected plugin, potentially leading to unauthorized changes or access.
Although it can be exploited in mass campaigns targeting many websites, it is considered unlikely to be exploited with significant impact.
The CVSS severity score is 5.3, indicating a low severity impact.
No official patch is currently available, so immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected plugin to a version higher than 1.5.0 if available.
If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement protective measures.
Patchstack offers rapid mitigation services and prioritizes this vulnerability as low severity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a broken access control issue in the WordPress plugin "The Publisher Desk ads.txt" up to version 1.5.0, caused by missing authorization checks. Detection typically involves verifying if unauthorized users can access or perform privileged actions related to the plugin.
Since the vulnerability allows unauthenticated users to perform actions requiring higher privileges, you can test access by attempting to access plugin-specific endpoints or functions without authentication.
No specific detection commands are provided in the available resources. However, general approaches include:
- Using curl or similar tools to send HTTP requests to plugin-related URLs and checking if unauthorized access is possible.
- Reviewing web server logs for unusual access patterns to the plugin's endpoints.
- Using vulnerability scanners that check for broken access control issues in WordPress plugins.
For example, a command to test unauthorized access might be: curl -I http://yourwordpresssite.com/wp-content/plugins/the-publisher-desk-ads-txt/specific-endpoint
Replace 'specific-endpoint' with the actual plugin function or file suspected to be vulnerable. If the response indicates access without authentication, the vulnerability may be present.