What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r – Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r – Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5.
Explanation of Vulnerability in Simple Terms
02Summary
AdsPlace'r – Ad Manager allows logged-in users to inject malicious scripts into ad content through insufficient input validation. When a victim visits a page displaying the affected ad, the script executes in their browser with access to their session. The vulnerability affects versions up to 1.1.5 and requires user interaction to trigger.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers and steals session cookies or perform actions as the victim.
Potential impact on your site
04Site Impact
Visitors' accounts can be compromised or hijacked; attackers can deface ads or redirect users to malicious sites.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account (e.g., contributor or ad manager role) and the victim must view a page with the malicious ad.
Key dates
06Disclosure timeline
January 6, 2026
CVE published
April 28, 2026
Record updated