The Oboxmedia Ads plugin for WordPress is affected by a stored cross‑site scripting flaw in the before_widget and after_widget parameters of the oboxads‑ad‑widget shortcode. Because the plugin does not sanitize or escape input before saving it with the post, an authenticated user with contributor level access or higher can insert arbitrary JavaScript. When a visitor then loads a page containing the widget, the malicious script runs in the visitor’s browser, enabling cookie theft, session hijacking, or defacement of the site content. This weakness corresponds to CWE‑79 and allows an attacker to compromise the confidentiality, integrity, or availability of the user session but does not grant direct code execution on the server.

All users of the Oboxmedia Ads WordPress plugin, version 1.9.8 and earlier, from the vendor oboxgroup. The plugin is identified as Oboxmedia Ads. The vulnerability is present in all releases up to and including 1.9.8; later releases are not affected.

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a very low probability of being actively exploited, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to have contributor or higher access to the WordPress site, so the likelihood of exploitation is contingent on the availability of privileged accounts. Even with the low EPSS, the stored XSS can have significant impact on users visiting the site.