ad manager wd 1.0.11 Vulnerability (CVE-2019-25727)

Security Alert Summary

The WordPress plugin ad manager wd (version 1.0.11) contains an arbitrary file download vulnerability that allows unauthenticated attackers to download files by manipulating a path parameter. Attackers can send specially crafted GET requests to an edit.php endpoint with export=export_csv and a malicious path parameter to read files accessible to the web server, including wp-config.php.

CVE Details

• CVE ID: CVE-2019-25727
• Affected component: WordPress Plugin ad manager wd
• Affected versions: 1.0.11 (as stated in the description)
• Published: June 4, 2026 at 2:16:30 PM
• Last modified: June 4, 2026 at 3:00:40 PM
• CVSS v3.1: Base Score 9.8, Severity: CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• CVSS v4.0 (secondary): Base Score 9.3, Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
• Authentication / privileges / user interaction: No authentication required; privileges required: NONE; user interaction: NONE.
• Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH.
• Weakness (CWE): CWE-22 (Path Traversal)

Technical Details

The plugin implements an endpoint that accepts a GET request to edit.php with the parameter export=export_csv. The vulnerability stems from insufficient validation of a path parameter, allowing an attacker to supply a crafted path that causes the application to return arbitrary files readable by the web server. The description explicitly references reading files such as wp-config.php by manipulating this parameter.

This is an unauthenticated arbitrary file download (path traversal) issue: an attacker can request server-accessible files without valid credentials or interaction from a site user. The immediate technical impact is disclosure of files on the server that the web process can read. Files like wp-config.php often contain database connection details and keys, so disclosure of such files can expose sensitive configuration data.

How This Could Impact Your Website

Consider a small site with an owner, an internal editor, and an external contractor who uploads assets. An unauthenticated attacker could probe the vulnerable endpoint and download configuration files or backups stored in web-accessible locations. Practical consequences include exposure of internal configuration and credential files, which can reveal database credentials or site secrets, and disclosure of data that may contain user email addresses or other personal information.

With exposed emails or configuration details, attackers can more easily craft targeted phishing or social engineering campaigns against site staff or customers. The vulnerability does not imply automatic full site takeover, but disclosure of sensitive files significantly raises the risk profile for further attacks.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Temporarily remove or disable the plugin if you cannot confirm a safe version is installed.
• Review and reduce unnecessary user roles and permissions, especially for contributors and external contractors.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and ensure file storage is not web-accessible when not required.
• Monitor site activity and server logs for unusual requests to edit.php or attempts to access sensitive files.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://web-dorado.com/products/wordpress-ad-manager-wd.html
• https://www.exploit-db.com/exploits/46252
• https://www.vulncheck.com/advisories/wordpress-plugin-ad-manager-wd-arbitrary-file-download