The vulnerability is an improper neutralization of user input that allows an attacker to store malicious script in the Ad Blocking Detector plugin. When a victim views the affected page, the stored script executes in the victim’s browser, giving the attacker the ability to steal session cookies, inject content, hijack the user session or deface the site. This exploitation occurs only when the vulnerable data is displayed to other users, so the impact is confined to users who load the affected page.

The flaw affects the WordPress plugin Ad Blocking Detector from Admiral, affecting all versions up to and including 3.6.0. All sites running the plugin within the specified version range are potentially vulnerable.

The severity is rated CVSS 6.5, which represents moderate risk. The EPSS score of < 1 % indicates that the likelihood of public exploitation is low and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through the plugin’s input fields where arbitrary content can be stored; an attacker must first place a malicious payload in the stored data, which will then be rendered when other users view the page. Once in place, the attack requires only a victim to visit the affected page to execute the injected script, with no privileged access needed on the server side.