How is CVE-2026-54816 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress service over the network; over-the-network exposure is required to trigger the code injection endpoint. Authentication (required): A low-privilege WordPress account is sufficient; the attacker does not need administrative credentials, but unauthenticated access alone is not enough. Victim interaction (not-required): No victim interaction is needed; the attacker can trigger exploitation directly without any user clicking a link or performing an action. Attack complexity (info): Attack complexity is rated High, meaning the attacker must meet specific environmental or configuration conditions beyond simply sending a request, such as particular server settings or race-condition-like prerequisites.

What is the impact of CVE-2026-54816?

Reads any file readable by the web server process, including WordPress configuration files containing database credentials and secret keys. Modifies or deletes files on the server, including plugin files, themes, and uploaded content. Executes arbitrary operating system commands, enabling the attacker to establish persistent access or pivot to other systems on the same network. Crashes or degrades the affected WordPress service by corrupting runtime state or exhausting server resources.

Back to search

HIGHCVE-2026-54816Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54816: WordPress Advanced Ads plugin <= 2.0.21 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-54816?

A code injection vulnerability in the Monetizemore Advanced Ads WordPress plugin (versions up to and including 2.0.21) allows a remote attacker to include and execute arbitrary code on the server. The vulnerability is reachable over the network, requires a low-privilege account, and involves high attack complexity due to environmental preconditions the attacker must meet. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, enabling remote code execution. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

Q: Is CVE-2026-54816 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations to limit exposure of affected workloads.

Improper Control of Generation of Code ('Code Injection') vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion. This issue affects Advanced Ads: from n/a through 2.0.21.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A code injection vulnerability in the Monetizemore Advanced Ads WordPress plugin (versions up to and including 2.0.21) allows a remote attacker to include and execute arbitrary code on the server. The vulnerability is reachable over the network, requires a low-privilege account, and involves high attack complexity due to environmental preconditions the attacker must meet. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, enabling remote code execution. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-54816 is available across every HarborGuard environment. The CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering both official and custom-built images that bundle the Advanced Ads plugin.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each customer environment's compliance policy. Triage routing routes the alert to the appropriate team inbox within the customer org based on policy configuration, asset ownership, and severity thresholds.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations to limit exposure of affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress service over the network; over-the-network exposure is required to trigger the code injection endpoint.
AuthenticationRequired
A low-privilege WordPress account is sufficient; the attacker does not need administrative credentials, but unauthenticated access alone is not enough.
Victim interactionNot required
No victim interaction is needed; the attacker can trigger exploitation directly without any user clicking a link or performing an action.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must meet specific environmental or configuration conditions beyond simply sending a request, such as particular server settings or race-condition-like prerequisites.

Blast Radius

Reads any file readable by the web server process, including WordPress configuration files containing database credentials and secret keys.
Modifies or deletes files on the server, including plugin files, themes, and uploaded content.
Executes arbitrary operating system commands, enabling the attacker to establish persistent access or pivot to other systems on the same network.
Crashes or degrades the affected WordPress service by corrupting runtime state or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published. HarborGuard re-evaluates the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While no patch is available, HarborGuard can surface compensating-control recommendations including network-policy isolation to restrict inbound access to affected WordPress deployments, egress filtering to block outbound code-inclusion requests, and feature-flag or plugin-disablement guidance where the Advanced Ads plugin is not strictly required in a given environment. Customers should review HarborGuard findings for any image bundling Advanced Ads at or below version 2.0.21 and treat affected workloads as high-priority for isolation until an upstream patch is available.

See how HarborGuard automates this

Affected packages

Monetizemore / Advanced Ads
≤ 2.0.21

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified