CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
What the vulnerability does
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Explanation of Vulnerability in Simple Terms
Quads Ads Manager for Google AdSense versions 2.0.98.1 and earlier contain a cross-site scripting (XSS) vulnerability. An authenticated user can inject malicious scripts that execute in other users' browsers when they view affected pages. The vulnerability requires user interaction and affects the integrity and confidentiality of site data.
What an attacker can do
Inject malicious scripts that run in other users' browsers to steal data or perform actions on their behalf.
Potential impact on your site
Authenticated users can inject scripts affecting other users' sessions, potentially compromising admin accounts or stealing sensitive data.
Conditions required to exploit
Attacker must have a low-privilege account (e.g., subscriber or contributor) and the victim must visit a page containing the injected payload.
Key dates
External resources
Related vulnerabilities
